When it comes to having a secure website, it is always a challenge. An Internal website/portal, you have a bit more control over who is accessing your site, but that does not mean it should not be secure! Well, having it all thought out, and you feel that all your programing has been 100% top notch, there are still some things you can do, to check yourself.
There are a lot of tools out there, but I am just focusing on some “quick to use” Open Source tools. Just to get you started!
First I will point to Pixy, it static scans your PHP4 code for cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy is written in java. Last update seems to be in the end of July 2007, so it seems abit dead at the moment.
To other cool tools, xss-me and sql-inject-me from the Security Compass exploitme suite (Firefox plug-ins), are also two quick tools to check your website for XSS and SQLi. I recommend to try them out, and if you know of any other tools alike, please let me know!
Last but not least I want to bring out Ratproxy. It checks a whole lot of things about your website, and its worth your time!