Auditing Scripts

A lot of us are paying for shared web hosting or even are lucky enough to have virtual private servers or dedicated servers. We also rely on scripts that are written by people, usually strangers. Web applications are so complicated these days that we hire freelance programmers to write scripts or buy from a third party. Heck, I have had other DigitalPoint members send me scripts for free.

However, how many of you audit the scripts that you're running on your servers? I mean, take a look at each file and make sure nothing evil is going on. With so many lines of code it's a time consuming task. Even a plugin for Wordpress could possibly contain a backdoor. Does anyone have any ideas or procedures they've been using to check scripts before they are uploaded to a production environment?

I usually go through every file in a script and do a regular expression search for email addresses. Another idea is to create a local webserver on a computer with a firewall to test scripts. The only problem is that these aren't foolproof methods. Are there any programs or testing methods that can test scripts for vulnerabilities, backdoors or trojans? Obviously you should only use scripts from trusted sources, but sometimes people unwittingly pass along bad scripts or are too tempted to put a backdoor in their code.

 

Well usually I write all of my own code. I do audit any code that I may purchase, say with a website i buy, but am yet to find any sort of backdoor. I have found multiple security vulnerabilities in some of the apps, but never anything malicious.

I do know that there are several tools out there that will do auditing for you. Just google 'em