< Back to Trending Discussions

Saas security

Security services: Penetration testing and full security audits

Aaron Perrin Software Architect / Senior Developer

January 17th, 2014

We're currently prototyping a product that depends heavily on user trust.  We're working with some security consultants to ensure that our users' data is secure.  We'd also like to hire a good one to be act as our chief security officer.  However, we're far from that point, at the moment.

I have a fairly good background in running secure, protected services.  But, I'm not going to kid myself, I'm no expert.

I guess what I'm looking for is a 3rd-party SaaS-type service that allows me to ask for a full penetration test of our systems.  It could be black box or white box.  Either way, I want to go live with some 3rd-party validation that we're not going to be embarrassed on release.

We're also interested in on-going, random 3rd-party security audits.

Anyway, I looked around for such a service, and I didn't see anything.  Anyone have any ideas?

Thanks,

Aaron

Jodson Leandro Programmer and Pentester

January 4th, 2019

The best thing you can do is to contract a good company or a good security analyst to verify your server, source code and everything involved in your product. The cheapest way to do that is execute a white hat security assessment. If you have some security consultants working with you, ask to them review your source code and verify the patterns that your programmers are doing wrong.


Once the security consultants find wrong stuff in the source code, they could teach the programmers do the right way. Security must be frequently studied by your team. Of course you need some specialist, but if the company has a small team, everyone can grow together.

Chayim Kirshen DevOps Focused Software Professional

January 17th, 2014

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aaron, A great way to start is with Rapid7's Nexpose Community Edition and MetaSploit Community Edition. Both are free for a number of nodes. Unfortunately you have to host things yourself - but at least this can get you started. You can also approach (several) firms to do ongoing pens, or one-time pen tests, I've worked with several in the past. - --c

Shannon Code Chief Architect

January 17th, 2014

Bugbounty is cool, it's nice if you are boot strapped and want another company to handle the talent acquisition. They offer "bounties" for discovering bugs, they crowd source the work. A contractor only gets paid when they discover and are able to reproduce bugs. 

Michael Rossi Senior Analyst at TSC Advantage

January 17th, 2014

Another is www.hackertarget.com if you'd like to run tests yourself. 

Alvis Matlija Product Strategy and Planning at BlackBerry

January 17th, 2014

Try bugcrowd.com. They seem to offer something similar to what you are looking for. Sent from my iPad

Anonymous

January 17th, 2014

If you are looking for manual pen-testing, I highly recommend Matasano. Their founder Thomas is a frequent commenter on Hacker News (the number 1 is Karma points actually) is highly respected by the community. 

Gergely Imreh Physicist at Large

January 17th, 2014

I've a friend working for Offensive Security http://www.offensive-security.com/
They are doing training and testing as well, as much as I know.

Cheers,
Greg

Will Koffel Co-Founder at Outlearn

January 17th, 2014

For a start, you might check out https://www.tinfoilsecurity.com/  Not going to be a full enterprise audit, but they can work with you to understand your needs.

Todd Ellermann Experienced I.T. Leader, CTO, and Creative Entrepreneur

January 17th, 2014

We used hacker safe a few years back, now McCaffee Secure. But after the acquisition, I hear that things changed some.  At the end of the day, they were successful at helping us identify a truckload of issues.  The hosting company I was working for was acquired.

http://www.trust-guard.com/Hacker-Safe-s/42.htm  

I would seriously consider trust-guard, but all this proactive hacking wasn't cheap. 
-T

Shannon Code Chief Architect

January 17th, 2014

I do web and network assessments along with mobile and embedded device  assessments. Long time contracts allow for retesting  periodically and when new exploits come out. And a reevaluation after delivery and implementation of initial discoveries.