I am preparing to develop a request for proposal (RFP) for a professional audit of our Web site and our Web content management system (WCMS). I'm curious what experience anyone else has in doing something similar?
The WCMS we are using was written pretty much single-handedly by me, from the ground up. Since I am only one person, there are obviously things I might have missed, and there are most likely things that could be done more efficiently and code that could be optimized further. I would like a professional organization to review the code from the CMS and evaluate it for security and efficiency.
I used the Spike PHP Security Audit Tool and found very few glaring security issues in the code itself. For the most part, the errors resulted from me checking to see if a file or folder existed before I actually tried to do anything with it (the warning was referred to as a TOCTOU racecheck condition). There were a few other warnings about needing to verify input before I use it, but all of those referred to PHP constants (like the DB username and password, etc. - which are encrypted when stored, then decrypted when used) that are validated when they are defined in my config file and then passed into various functions.
Since they are constants, I am assuming that there's no real way to validate/verify them each time I use them. If there is, I'd certainly be willing to look at it.
In addition, I'm looking to have a professional organization evaluate our Web site to ensure that we are not missing anything obvious in the way of usability and accessibility.
Has anyone else gone through a similar process? Was an RFP necessary? What are your thoughts? Thank you.