We know that all websites should use iron security against user input for any type of website, even just an online catalog should have some level of security, and also that anybody could pick your website to hack at any given moment in time.
The question is: Do you think it's advisable to put your website up, especially for hackers, to 'try it with all they've got'? Or, will it really mess up things so bad that it can't be recovered?
Reasons:
1- Test your website security
2- You'll know which security mistakes not to repeat
3- Your website can gain strength by closing up the security holes
This may sound like a silly idea, but I think it could improve beginner's idea about website security and exactly how little a hacker needs to actually mess up your system.
My brother is into networking/hacking and things, and he's going to try hacking one of my best projects with full force. I'm a little unsure about it...
Yes, in general it's a great idea, but here are some important considerations:
Keep your site running
Ideally you don't want to do it on your production infrastructure. Have him use a non-production instance of your site (either hosted online, or locally on his computer).
If he's testing on your production site (live) your site may go down.
Keep your data safe
Testing database injections (or other attacks) can potentially harm your data. Again, you don't want to be running the tests on production infrastructure. The best scenario is to work locally.
Black-box or white-box
He'll have a better chance of finding issues if he has access to the code (white-box). If possible, give him access so that he can find issues.
Yes, have people hack your site. But don't let it get in the way of your users and don't let it cause permanent damage.
You can't guarantee people that aren't your friends aren't already giving it all they've gotโฆso I say yes, test it fully!
In general, testing the security is a good idea. However, I strongly discourage putting your website on some hacking forum. You never know if they tell you everything they find, if they just pull all your valuable data and not actually tell anything, and so on. Also, they usually want an incentive to actually do that for you, too...
The best course of action is to use trusted connections, like your brother, but also do risk management. What kind of controls are in place against hacking and what kind of weaknesses do they have? How bad would be your losses if someone hacks you? How much money are you willing to spend to improve security? Etc.
There are professional pen testers, who will happily give you an extensive analysis about attack vectors, security problems and weaknesses on your website. They do cost several thousand $, though, so you better have the need for them.
While it is important to shield your website, it is unlikely in most small cases, that someone puts in all they have to hack you, so why pour money and time into mitigating such attacks? Most of the time, it's user mistakes, bots and rarely script kiddies. Team Hashnode has to fear me reversing their API and website ( ๐ haha), but that's all there is.
If you want to do this purely for learning, I recommend creating a fake product. Create a completely new website, leave out anything pointing to you or your accounts or your company. Create new accounts at a neutral hosting solution. Then put the whole thing up and in that case, you may also go for shady forums and ask them to try their worst. You may put some BTC into a fake account in your project, so they have a goal to actually look for. Giving them a goal is more realistic and gives you control over what they will likely dissect.
I think it's a good idea.
But if possible you should set up an identical website without all the customer data, and try with that.
If you can't do a separate deployment, you should only do this with trusted people (sign a contract if they're not close family).
As a junior full stack, the applications that ill be creating will be full house and security is one of my main concerns.
I would rather my application be fully hacked in every possible way to ensure its fully secure. This is also why most big companies pay out for professional hackers to take a full whack at their systems.
Last thing we all want is to be leaking data due an unsecured app.
Just make sure you have a backup at least, and it will be a good decision to make :)
Let us know how it goes and if he does find any loops ๐
It is actually a good idea if you trust him. In general it's a good idea to let a hacker help you, if you can trust her/him. :)
I rather face my failures, be embarrassed, learn and move on. Although I don't know how qualified your brother is to judge.
To me it sounds you got nothing to loose and if he's any good you can gain some insights :)
Spencer Phillip Young
To let a (trusted) person to attempt exploiting your security is basically the concept of penetration testing or "red teaming". It is a very common and recommended practice in security. Some industries even require such testing to be conducted periodically.
I want to hone in on the "full force" aspect:
Good pen tests should model real-world threats. Real-world threats absolutely can be 'full-force'; a skilled, focused, and determined hacker wouldn't hold back.
Usually pen tests set boundaries to avoid major disruption/damage to systems, but these boundaries may prevent testing for certain vulnerabilities. In other words, there is a balance. A good pen testing company can walk you through this and setup proper boundaries for your risk model.