I'd like my Web site (owned in America)code analyzed by a 3rd party for "back doors". Site was made overseas and processes credit cards online. No problems in first year. Trouble is, if you don't know the hired coder, how do you know he's not programming back doors? Quite a predicament, no?

Maybe there's a referral network that's water tight for honesty -- any? Or if there's a way that makes the back door project safe..? Guarantees, etc...

"Trouble is, if you don't know the hired coder, how do you know he's not programming back doors?"

Even if you know the programmer, the same question can be asked.

Your code is probably not very complicated. Code auditing can be very expensive.

You might consider going to a University and contracting a graduate student (usually there is a job board or general message board) with 1 year proven experience in the said language. Get a CS grad student and you should be OK. Make a contract in your favor if you want, which should financially protect you should this student do something malicious (doubt it).

A web site design group would probably be willing to look at the code.

Other than that, you can hire programming groups or individuals based on recommendations.

What brings this up? Have you had any grounded suspicions?

no, no suspicions. just heard about the issue.

by the way, your assumption that the code is simple equals my assumtion that knowing the coder eliminates further back doors -- ha. who knows how complex -- if i knew i wouldn't be writing. code is in asp. does that automatically mean it's simple? or automatically complex? or neither? (I just wanted to cover all the conditions)

by the way... how does the coder know when he's looking at a "back door"? (because the front door is on the other side of his head?? er... dunno -- what think, seriously?)

"code is in asp."

By that alone I don't suspect any backdoors. If they had written the thing as a C module for Apache, then you could wonder.

"does that automatically mean it's simple?"

Credit card transactions are no secret. There are thousands of tutorials all over the Internet showing you how to handle them, along with a plethora of books on the subject. It is an extremely common function.

"how does the coder know when he's looking at a 'back door'?"

You step through the code, perhaps with the aid of a program (usually not), and look at what is happening. Ask lots of "why?" questions. What you are looking for are instructions that are overly complicated, return incorrectly, or do something obvious like save a file somewhere with read permissions. Perhaps there is a default login username/password combination hidden in a particularly long include file. Maybe the database has loose read permissions on a particular account. There might be a place where a user could inject some SQL into a database query and get what they want (if they knew the schema).

thanx. I've saved all this. will look into project soon.