Penetration/Security Testing

[lord...@gmail.com]

Hi,
I am about to start a project for a blue chip client, and am really pushing to use Umbraco, the only concern I have is that this client will insist on having the site penetration tested by their internal team in Germany. I would like to know if anyone has any experience of this and whether the backend has passed this kind of test in the past. I will be buying the complete support package, am I right in assuming that this should give me peace of mind and if the test fails with a major security issue, I can access the core team and this would be fixed? Is there any guarantee of a fix timeline?

Any ideas, reassurance would be great. BTW I will be planning to use v 7.1

Cheers

Chris

[Steve Temple]

Hi Chris,

I put a post with the results of a pen test on version 6.x, this might be useful for you to start with

https://groups.google.com/d/msg/umbraco-dev/UTuAYCGEYbE/FwD6pKXnPkoJ

The main issues we had were around the front end and back end being on the same url, so locking out admin users after x failed attempts which Umbraco doesn't do out of the box was a big issue as the back end is easily accessible. Most of the stuff was pretty minor or easy to fix.

Cheers,

Steve

[Sjors Pals]

We had a lot of security scans, and i think i may say that Umbraco is pretty secure, we build a lot of Umbraco sites for big financial institutions like ING and Moneyou. Most issues where related to XSS injections in the frontend, but no problems with the umbraco backend.

Greets,

Sjors

Op zaterdag 22 maart 2014 08:18:09 UTC+1 schreef lord...@gmail.com: