I and a few others at the company I work at are trying to work out a security procedure when new clients transfer their site to us. In the past we have been handed "pre-hacked" sites (i.e. with exploits hiding among media files and such) and we would obviously like to minimize the chances of something like that getting onto our servers.

Here is what I have come up with so far:

* Malware scan to catch viruses and other stuff that may be hiding in executables, DLLs, etc. * Static analysis (with SonarQube or similar) to find unsafe eval's, potential SQLis, and more * Spin up the site in a sandbox and hit it with the most common automated tools (like Metasploit and W3AF) to catch ... well ... many things.

Of course, we will need to adjust the specifics to the site we are analyzing (we do different programming languages; also because a static HTML/CSS single-pager probably does not require static/dynamic analysis) but we are mainly concerned with establishing a baseline that we can then modify as needed.

I would love to hear your input on the tool and methodology choice, and also on the extent of the analysis—obviously we want to strike the right balance between value (to both ourselves and our customers) and cost/time spent.

References to good articles on the subject are also very much appreciated. Same goes for war stories and personal experiences.