What QA & security steps to take before launching web app?


2

I've seen plenty of questions dealing with beta testing, marketing, market research and so on.

My question is which practical quality assurance and security steps should a web app or service make sure they have ready when launching to real people?

Suggestions:

  • double-checking against SQL injections
  • user password recovery
  • double checking file & folder permissions
  • 404 pages

Even in a private beta, what things should absolutely be a part of a launch?

Launch Product Launch Security QA

asked Jun 19 '11 at 22:53
Blank
Joe
121 points

2 Answers


1

Even if you are in private beta, your server can be reached by the public. That means you'll experience occasional lightweight attacks by bots. If you have information that is valuable there is a much greater chance of large attacks on your server(s) and that will require additional hardening. For now I would recommend the following.

  1. Be sure to get an SSL certificate and only allow https traffic.
  2. Familiarize yourself with the Open Web Application Security Projects Top 10 Risks
  3. Get some free open source applications to scan your server. The exact applications depends on the technology your server is running (Apache vs IIS, MySql vs Sql Server, etc). In general though I would recommend a Sql Injection specific tester like sqlmap, and a fuzzer like Wapati
  4. Double check all accounts for all services on your server. If you run FTP, bots will attempt to login with standard names and passwords. Lock down all unnecessary accounts and shut off all unnecessary software (like don't run a print spooler if the server is not a print server), this is called reducing your "Surface Area" so there is less to attack.
answered Jun 20 '11 at 04:28
Blank
Justin C
838 points

0

That is more of a technical question, I suggest you ask it on Stack Overflow.

answered Jun 21 '11 at 00:10
Blank
Rafferty Pendery
466 points
  • actually I think from a high level it is appropriate here. In-depth security is covered at security.stackexchange.com, but this is too high level for that. An answer of StackOverflow would be programmer related. Here the question can be high level technical info for entrepreneurs. – Justin C 8 years ago
  • I don't see it the same way. I'm not a moderator, so it doesn't really matter. I would just suggest you look at the two FAQs. I think you can make a judgement as to which one is more appropriate. http://answers.onstartups.com/faq and http://security.stackexchange.com/faq. I mostly mentioned it so he could get an answer that would contribute to the community as a whole. – Rafferty Pendery 8 years ago

Your Answer

  • Bold
  • Italic
  • • Bullets
  • 1. Numbers
  • Quote
Not the answer you're looking for? Ask your own question or browse other questions in these topics:

Launch Product Launch Security QA