Saas security

Security services: Penetration testing and full security audits

Aaron Perrin Software Architect / Senior Developer

January 17th, 2014

We're currently prototyping a product that depends heavily on user trust.  We're working with some security consultants to ensure that our users' data is secure.  We'd also like to hire a good one to be act as our chief security officer.  However, we're far from that point, at the moment.

I have a fairly good background in running secure, protected services.  But, I'm not going to kid myself, I'm no expert.

I guess what I'm looking for is a 3rd-party SaaS-type service that allows me to ask for a full penetration test of our systems.  It could be black box or white box.  Either way, I want to go live with some 3rd-party validation that we're not going to be embarrassed on release.

We're also interested in on-going, random 3rd-party security audits.

Anyway, I looked around for such a service, and I didn't see anything.  Anyone have any ideas?

Thanks,

Aaron

Chayim Kirshen DevOps Focused Software Professional

January 17th, 2014

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aaron, A great way to start is with Rapid7's Nexpose Community Edition and MetaSploit Community Edition. Both are free for a number of nodes. Unfortunately you have to host things yourself - but at least this can get you started. You can also approach (several) firms to do ongoing pens, or one-time pen tests, I've worked with several in the past. - --c

Shannon Code Chief Architect

January 17th, 2014

Bugbounty is cool, it's nice if you are boot strapped and want another company to handle the talent acquisition. They offer "bounties" for discovering bugs, they crowd source the work. A contractor only gets paid when they discover and are able to reproduce bugs. 

Michael Rossi Senior Analyst at TSC Advantage

January 17th, 2014

Another is www.hackertarget.com if you'd like to run tests yourself. 

Alvis Matlija Product Strategy and Planning at BlackBerry

January 17th, 2014

Try bugcrowd.com. They seem to offer something similar to what you are looking for. Sent from my iPad

Anonymous

January 17th, 2014

If you are looking for manual pen-testing, I highly recommend Matasano. Their founder Thomas is a frequent commenter on Hacker News (the number 1 is Karma points actually) is highly respected by the community. 

Gergely Imreh Physicist at Large

January 17th, 2014

I've a friend working for Offensive Security http://www.offensive-security.com/
They are doing training and testing as well, as much as I know.

Cheers,
Greg

Will Koffel Co-Founder at Outlearn

January 17th, 2014

For a start, you might check out https://www.tinfoilsecurity.com/  Not going to be a full enterprise audit, but they can work with you to understand your needs.

Todd Ellermann Experienced I.T. Leader, CTO, and Creative Entrepreneur

January 17th, 2014

We used hacker safe a few years back, now McCaffee Secure. But after the acquisition, I hear that things changed some.  At the end of the day, they were successful at helping us identify a truckload of issues.  The hosting company I was working for was acquired.

http://www.trust-guard.com/Hacker-Safe-s/42.htm  

I would seriously consider trust-guard, but all this proactive hacking wasn't cheap. 
-T

Shannon Code Chief Architect

January 17th, 2014

I do web and network assessments along with mobile and embedded device  assessments. Long time contracts allow for retesting  periodically and when new exploits come out. And a reevaluation after delivery and implementation of initial discoveries.

Michael Hanson Entrepreneur in Residence at Greylock Partners

January 17th, 2014

I have no personal experience with their product, but White Hat Security (http://whitehatsec.com) offers web application fuzzing and pen testing on a SaaS platform.

They do a good job with automated screens for XSS, command injection, buffer overflow, that sort of thing.  I don't recall whether they have consultants to perform the more insight-driven sort of screen you'd need as well; you may be better off hiring directly for that.