This looks cool! I have the other perspective -- I have a site that I want secured. This seems helpful for that angle also. I'd be interested if there are other resources as well that could be suggested on this thread!
You should check out the youtube channel LiveOverflow [0], it's mostly about infosec and pentesting.
As someone who is neither into infosec nor pentesting, I found it to be a very interesting and informative channel which improved my understanding of coding and security in general.
I've done a bit of pen testing and the cheat sheet presented gives very good advice in one place for the basics.
I'd love to see web devs use something like the procedures outlined as a final check before going for sign off. When testing your own stuff, do the heavy scanning stuff "internally". You can always deploy a throwaway Kali Linux box on the same VLAN if its justified.
Now as to your question: Remember that the site itself may not be the actual target. For me, an awful lot of pen testing involves perusing Facebook, Twitter and the like and obviously peruse the site itself as a user. Customer testimonies, web dev links and their site's customer testimonies and proud stories are useful. I always spider for docs and look at metadata in them. Companies House and similar registries (in the UK, other countries may have similar) is handy to help join dots. A little imagination and publicly available information can inform a decent social scam.
My top advice here is pretend to be a baddie and look at your stuff from the outside. Once you discover just how exposed everyone is, then evaluate it and then start the staff/partner/whatever training. If applicable, your telephone reception should have a human firewall on it - mine does. I'm an MD of a small company and I defy anyone to get past them. They take great pride in making calls to me from ahem friends/colleagues/etc not get through but get a request to send an email to sales@<firm>.co.uk and yet I still get the calls I want. When they are uncertain they check with me first. Make it a challenge and part of the culture and deploy honest praise for a good job done. Gatewaying all of your calls via your experts rather than a DDI to all staff is a good idea.
Notice how most of the stuff I've gone into depth about doesn't really involve anything fancy technologically. If I was a real general purpose baddie, I wouldn't be fussed about your user accounts and passwords or even your company secrets. I'd be wanting to make your accounts department send me a few thousand quid to some random account. However, the industry or purpose of your ... system ... will inform your approach to pen testing and securing. I have had to pen test a few schools and I took a rather different approach than I would for a firm of accountants.
There's no right or wrong answer and remember that a web site is not in isolation. People use them.
> gives very good advice in one place for the basics.
And it's important to remember that these are the basics. I was able to perform a privilege escalation on a site (that I was supposed to be pen testing, nothing nefarious) by using a password of something like ' admin="true" password="'. This isn't something that an automated scanner will ever uncover; this list, which is awesome, is a good starting point, but not the ending point.
None whatsoever - I was generalising. Incidentally, I should point out that whilst I have a fair idea of the plan of attack: I would be bloody useless at actually carrying it out 8)
