University Web Developers

University Web Developers

I am preparing to develop a request for proposal (RFP) for a professional audit of our Web site and our Web content management system (WCMS). I'm curious what experience anyone else has in doing something similar?

The WCMS we are using was written pretty much single-handedly by me, from the ground up. Since I am only one person, there are obviously things I might have missed, and there are most likely things that could be done more efficiently and code that could be optimized further. I would like a professional organization to review the code from the CMS and evaluate it for security and efficiency.

I used the Spike PHP Security Audit Tool and found very few glaring security issues in the code itself. For the most part, the errors resulted from me checking to see if a file or folder existed before I actually tried to do anything with it (the warning was referred to as a TOCTOU racecheck condition). There were a few other warnings about needing to verify input before I use it, but all of those referred to PHP constants (like the DB username and password, etc. - which are encrypted when stored, then decrypted when used) that are validated when they are defined in my config file and then passed into various functions.

Since they are constants, I am assuming that there's no real way to validate/verify them each time I use them. If there is, I'd certainly be willing to look at it.

In addition, I'm looking to have a professional organization evaluate our Web site to ensure that we are not missing anything obvious in the way of usability and accessibility.

Has anyone else gone through a similar process? Was an RFP necessary? What are your thoughts? Thank you.

Views: 56

Reply to This

Replies to This Discussion

As a vendor I would recommend Seth Gottlieb for this type of project. He really knows the CMS space as well as PHP and Java landscape and does not have any bias. You can read more about Seth here - http://www.contenthere.net/about/biography

We do Site Audits for our customers, but those are specific to Ingeniux CMS technology.

From a security / hosting standpoint we use Qualys in our hosting centers to manage vulnerability and threat assessment. It is an automated software-as-a-service.
I've been through numerous security audits. we use fortify and watchfire (which has been purchased by IBM) for auditing. A quick glance at your website shows you have at least one XSS vulnerability
Ning hacked up the URL, so I've had to use a shortener: http://is.gd/oInP. Vulnerability is at http://www.lfcc.edu/about-the-college/employee-directory/index.html...

And you should never EVER embed your SQL statements as a comment in your html (in both search results and employee directory). At a minimum, an attacker now knows table names, and based on structure, how to potentially alter search statements to achieve SQL injection.
Thank you for the tips, Paul. I thought I had commented out all of the debug statements that printed SQL statements in the HTML comments. I just searched the files again and found three or four instances that I missed.

Also, thanks for picking up on the XSS vulnerability. I fixed that particular instance and will look for more possibilities like that (most of the GET variables I use are numeric and are checked to make sure that they're numeric, but there are a handful of places that allow alpha-numeric input - those instances are always sanitized before they're sent to a database, but I will need to double-check to make sure they're sanitized before they're printed on the screen, too).

I will look into fortify, watchfire and Seth Gottlieb. That's good information to have.

Anyone else with suggestions, please keep them coming. Thank you.

RSS

Elsewhere

Latest Activity

Sara Arnold commented on Lynn Zawie's group OmniUpdate
"It's important to understand the science behind your web pages to better engage and ultimately attract prospective students to your site. http://bit.ly/2ZYK8FZ"
Thursday
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"If you’re struggling with web challenges such as accessibility, SEO, design consistency, workflow, content governance, or how to start a website redesign, you’re not alone. Join our next webcast to learn how other higher ed institutions…"
Sep 5
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"eQAfy confirms that OU Campus is still the #1 commercial CMS for colleges and universities in the United States. http://bit.ly/2Lir9Mn"
Aug 28
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Here’s an outline of everything you need to know about OCR compliance, including what it is, what your college or university can do to stay compliant, and resources for OCR compliance. #accessibility http://bit.ly/2rcPDgG"
Aug 23
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with April Buscher from Montana State University Billings to learn how blind readers and people with hearing impairment view and read your website and how you can make it accessible to them. http://bit.ly/2zhdcIt"
Aug 14
Amanda Lawson joined Lynn Zawie's group
Thumbnail

OmniUpdate

Share your experiences using OmniUpdate CMS
Aug 9
Amanda Lawson posted a photo

Amanda Lawson

Amanda Lawson, Web Content ManagerCommunity College of Allgheny County
Aug 9
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"High schoolers spend more time on their digital devices than they do sleeping, doing homework, or participating in extracurricular activities. So how do you make your message stand out to them? #eexpect http://bit.ly/2MOIIWC"
Aug 8
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Want to increase digital engagement with high school juniors and seniors? Join our next webcast with Stephanie Geyer from Ruffalo Noel Levitz as she shares new data from the 2019 E-Expectations Trend Report on email, paid media, and social media…"
Jul 31
Charlie Holder joined DNI's group
Thumbnail

Cascade Server CMS

For folks who use (or are interested in) Hannon Hill's Cascade Server CMS productSee More
Jul 26
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Is your website in compliance with the new WCAG 2.1? Join our webcast to learn various accessibility guidelines, what’s new in 2.1, and more! http://bit.ly/2zhdcIt"
Jul 22
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Even though GDPR has been in effect for over a year, many U.S. colleges and universities are still struggling with how best to implement the rules. We’re here to help. http://bit.ly/2YZZtRQ"
Jul 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Does your college or university website meet the new WCAG 2.1 accessibility standards? http://bit.ly/2JBXD3s"
Jul 12
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Eric Turner from Mt. San Antonio College, who will share easy steps to make your website GDPR compliant. http://bit.ly/2zhdcIt"
Jul 10
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"It is always important to make a good first impression! Join Aaron Blau from Converge Consulting as he covers ways to make your web content attractive to your target audience and create an authentic brand message. http://bit.ly/2zhdcIt"
Jun 19
Jon Shaw posted a discussion

email obfuscation

Anyone using a javascript or php email obfuscation library that is effective for spam defense?See More
Jun 11
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Kelly Bostick from University of Arkansas who will provide some great tips on ways to ensure that all of your digital content is accessible. http://bit.ly/2zhdcIt"
Jun 6
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Creating and producing website content is just the tip of the iceberg. In our latest white paper, learn how to manage that content to help your website reach its fullest marketing and recruiting potential. http://bit.ly/30WJ0PW"
May 30
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A college or university website redesign is the most effective and cost-efficient way to attract and recruit new students. Download our ultimate guide to get started on your redesign today! http://bit.ly/30MmcSQ"
May 28
Cody Bryant is now a member of University Web Developers
May 20

UWEBD has been in existence for more than 10 years and is the very best email discussion list on the Internet, in any industry, on any topic

About

© 2019   Created by Mark Greenfield.   Powered by

Badges  |  Report an Issue  |  Terms of Service