University Web Developers

University Web Developers

I am preparing to develop a request for proposal (RFP) for a professional audit of our Web site and our Web content management system (WCMS). I'm curious what experience anyone else has in doing something similar?

The WCMS we are using was written pretty much single-handedly by me, from the ground up. Since I am only one person, there are obviously things I might have missed, and there are most likely things that could be done more efficiently and code that could be optimized further. I would like a professional organization to review the code from the CMS and evaluate it for security and efficiency.

I used the Spike PHP Security Audit Tool and found very few glaring security issues in the code itself. For the most part, the errors resulted from me checking to see if a file or folder existed before I actually tried to do anything with it (the warning was referred to as a TOCTOU racecheck condition). There were a few other warnings about needing to verify input before I use it, but all of those referred to PHP constants (like the DB username and password, etc. - which are encrypted when stored, then decrypted when used) that are validated when they are defined in my config file and then passed into various functions.

Since they are constants, I am assuming that there's no real way to validate/verify them each time I use them. If there is, I'd certainly be willing to look at it.

In addition, I'm looking to have a professional organization evaluate our Web site to ensure that we are not missing anything obvious in the way of usability and accessibility.

Has anyone else gone through a similar process? Was an RFP necessary? What are your thoughts? Thank you.

Views: 55

Reply to This

Replies to This Discussion

As a vendor I would recommend Seth Gottlieb for this type of project. He really knows the CMS space as well as PHP and Java landscape and does not have any bias. You can read more about Seth here - http://www.contenthere.net/about/biography

We do Site Audits for our customers, but those are specific to Ingeniux CMS technology.

From a security / hosting standpoint we use Qualys in our hosting centers to manage vulnerability and threat assessment. It is an automated software-as-a-service.
I've been through numerous security audits. we use fortify and watchfire (which has been purchased by IBM) for auditing. A quick glance at your website shows you have at least one XSS vulnerability
Ning hacked up the URL, so I've had to use a shortener: http://is.gd/oInP. Vulnerability is at http://www.lfcc.edu/about-the-college/employee-directory/index.html...

And you should never EVER embed your SQL statements as a comment in your html (in both search results and employee directory). At a minimum, an attacker now knows table names, and based on structure, how to potentially alter search statements to achieve SQL injection.
Thank you for the tips, Paul. I thought I had commented out all of the debug statements that printed SQL statements in the HTML comments. I just searched the files again and found three or four instances that I missed.

Also, thanks for picking up on the XSS vulnerability. I fixed that particular instance and will look for more possibilities like that (most of the GET variables I use are numeric and are checked to make sure that they're numeric, but there are a handful of places that allow alpha-numeric input - those instances are always sanitized before they're sent to a database, but I will need to double-check to make sure they're sanitized before they're printed on the screen, too).

I will look into fortify, watchfire and Seth Gottlieb. That's good information to have.

Anyone else with suggestions, please keep them coming. Thank you.

RSS

Elsewhere

Latest Activity

Jon Shaw posted a discussion

email obfuscation

Anyone using a javascript or php email obfuscation library that is effective for spam defense?See More
Jun 11
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Kelly Bostick from University of Arkansas who will provide some great tips on ways to ensure that all of your digital content is accessible. http://bit.ly/2zhdcIt"
Jun 6
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Creating and producing website content is just the tip of the iceberg. In our latest white paper, learn how to manage that content to help your website reach its fullest marketing and recruiting potential. http://bit.ly/30WJ0PW"
May 30
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A college or university website redesign is the most effective and cost-efficient way to attract and recruit new students. Download our ultimate guide to get started on your redesign today! http://bit.ly/30MmcSQ"
May 28
Cody Bryant is now a member of University Web Developers
May 20
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Rachael Frank from Gravity Switch to learn how to organize your content and messaging for a website redesign. http://bit.ly/2zhdcIt"
May 16
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Capitalize on content by creating an editorial calendar for your college or university website. Here’s how: http://bit.ly/2WCauaY"
May 9
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A soft launch of your website redesign is well worth the extra time. Find out why. http://bit.ly/2LfeigX"
May 2
Linda Faciana posted a blog post

Webcast - Website Redesign | The importance of using content inventories

Join us for our next webcast with Laura Lehman from Eastern Mennonite University to learn how to effectively use Google Sheets during a website redesign and migration! http://bit.ly/2zhdcItSee More
May 1
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"What are characteristics of the best CMS for colleges and universities? Read our guide to find out: http://bit.ly/2Vt519j"
Apr 24
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Caroline Roberts from iFactory who will be providing tips on how to improve your SEO by finding and wisely using the keywords and phrases that matter most! http://bit.ly/2zhdcIt"
Apr 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"If your college website is not reaching your audience, but still meets most technical and accessibility requirements, there are a number of ways to fine-tune its performance. http://bit.ly/2KO08U8"
Apr 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Before you click the launch button on your newly redesigned website, it pays to doublecheck the details: http://bit.ly/2D9v5vr"
Apr 11
Laurie Trow replied to Jessie Groll's discussion Thoughts on "part-time work from home" for a web developer?
"I do work from home a few days a week. Depending where you're located, this would definitely be a perk. I've found plenty of higher ed jobs, but it's not often where working from home is an option. I find this odd since the higher ed…"
Apr 4
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Take a look at these award-winning higher ed digital marketing campaigns to see what’s working for them – and what you can implement to make your school’s digital marketing campaign one of the best. http://bit.ly/2JlzLiq"
Apr 3
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Do you have a plan in place to ensure your redesigned website is a success? Read our new white paper for the steps needed to successfully launch your website so that it is effective, informative, and gets noticed. http://bit.ly/2HZt73Z"
Mar 29
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"The better you pay attention to these small SEO details, the higher your website will rank in searches. http://bit.ly/2I6Yo1C"
Mar 28
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Brian Johnson from Tacoma Community College for tips on how to effectively communicate the website redesign process and move to a new CMS. Win over those key players and get your project started on the right…"
Mar 27
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Angela Cavaliere from Montgomery County Community College who will discuss how to successfully navigate a website redesign in higher ed. Learn how to get buy-in from stakeholders, organize your team, and…"
Mar 20
Linda Faciana joined Lynn Zawie's group
Thumbnail

OmniUpdate

Share your experiences using OmniUpdate CMS
Mar 20

UWEBD has been in existence for more than 10 years and is the very best email discussion list on the Internet, in any industry, on any topic

About

© 2019   Created by Mark Greenfield.   Powered by

Badges  |  Report an Issue  |  Terms of Service