Tell me more ×
Answers OnStartups is a question and answer site for entrepreneurs looking to start or run a new business. It's 100% free, no registration required.
up vote 2 down vote favorite

I've seen plenty of questions dealing with beta testing, marketing, market research and so on.

My question is which practical quality assurance and security steps should a web app or service make sure they have ready when launching to real people?

Suggestions:

  • double-checking against SQL injections
  • user password recovery
  • double checking file & folder permissions
  • 404 pages

Even in a private beta, what things should absolutely be a part of a launch?

share|improve this question

2 Answers

up vote 1 down vote

Even if you are in private beta, your server can be reached by the public. That means you'll experience occasional lightweight attacks by bots. If you have information that is valuable there is a much greater chance of large attacks on your server(s) and that will require additional hardening. For now I would recommend the following.

  1. Be sure to get an SSL certificate and only allow https traffic.
  2. Familiarize yourself with the Open Web Application Security Projects Top 10 Risks
  3. Get some free open source applications to scan your server. The exact applications depends on the technology your server is running (Apache vs IIS, MySql vs Sql Server, etc). In general though I would recommend a Sql Injection specific tester like sqlmap, and a fuzzer like Wapati
  4. Double check all accounts for all services on your server. If you run FTP, bots will attempt to login with standard names and passwords. Lock down all unnecessary accounts and shut off all unnecessary software (like don't run a print spooler if the server is not a print server), this is called reducing your "Surface Area" so there is less to attack.
share|improve this answer
up vote 0 down vote

That is more of a technical question, I suggest you ask it on Stack Overflow.

share|improve this answer
actually I think from a high level it is appropriate here. In-depth security is covered at security.stackexchange.com, but this is too high level for that. An answer of StackOverflow would be programmer related. Here the question can be high level technical info for entrepreneurs. – Justin C Jun 20 '11 at 17:02
I don't see it the same way. I'm not a moderator, so it doesn't really matter. I would just suggest you look at the two FAQs. I think you can make a judgement as to which one is more appropriate. answers.onstartups.com/faq and security.stackexchange.com/faq. I mostly mentioned it so he could get an answer that would contribute to the community as a whole. – Rafferty Pendery Jun 22 '11 at 3:22

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.