Is it advisable to let someone test (hack) your website's security with full force?

RE:

Yes, in general it's a great idea, but here are some important considerations:

Keep your site running

Ideally you don't want to do it on your production infrastructure. Have him use a non-production instance of your site (either hosted online, or locally on his computer).

If he's testing on your production site (live) your site may go down.

Keep your data safe

Testing database injections (or other attacks) can potentially harm your data. Again, you don't want to be running the tests on production infrastructure. The best scenario is to work locally.

Black-box or white-box

He'll have a better chance of finding issues if he has access to the code (white-box). If possible, give him access so that he can find issues.


Summary

Yes, have people hack your site. But don't let it get in the way of your users and don't let it cause permanent damage.

Reply to this…

(8 answers) Take me to the question