Skip to content

Top Best Ask Show New Jobs

Ask HN: Security audits. Worth it? Who's good?

8 pointsdataduck5y ago11 comments

Hi all,

I'm beginning a project which will create a web based software as a service. I've little experience in web security and I'm considering budgeting for a web security audit to find security issues in the finished product. The product itself doesn't need to handle payments or store personal information, although we will need to have account control and accept subscription payments somehow.

Those who have some experience here: is getting a security audit worth it in this case? And is there anyone you'd recommend for this?

Thanks.

11 comments

11 comments · 5 top-level

k4ch0w5y ago· 3 in thread

Yes, generally a security audit is worth it. I am bias as I am a security engineer and have pentested multiple companies during my career.

Theres a cost saving by designing things up front say for GDPR or handling credit cards safely that is worth investing in. Sometimes, a threat modeling session alone could save you time and money in the long term. It's harder to change things when you've built a product, have customers relying on it.

In terms of the actual product, you will have users, they will need to login/logout/reset passwords. Ensure proper authorization and authentication.

How are you handling logs, secrets, 3PP. Do you handle customer input, do you reflect it onto the page, store it in the database? Do you allow them to do HTTP requests? How do you prevent SSRF.

How are you protecting your code? Laptops? Do you have antivirus? Do you patch your infra?

These are the questions you don't really think about, however they can have real consequences if you don't.

In terms of who I'd recommend, you get what you pay for. Generally, I'd look for a small shop in your local area and vet them.

Yearly pentests are a +, and if you do go through an Acquisition or someone trying to whitelabel your product they will want the reports.

If you don't have any revenue yet, do check out OWASP top 10. Run scoutsuite on your AWS/Azure/GCP. Enforce MFA where you can, Github/AWS/Gdrive/O365. Setup SSO right away and just use that to login to all your infra and services. Will save you so much headache down the line. Make sure you keep your logs application and service logs. Try to aggregate them somewhere.

dataduckOP5y ago

Thanks.

> Generally, I'd look for a small shop in your local area and vet them.

How would you recommend to vet them to someone without a security background?

This, all this ^ (seriously)

I'm an Application Security Champion so I know what I'm talking about (sarcasm).

Whys this downvoted? I am seconding this information. Is it my self-deprecating comment about being an ASC?

hijinks5y ago· 2 in thread

we just went through one and it was one of the security as a service. It was around $18k.

So expect to pay around that and a lot more for how in depth you want them to go.

dataduckOP5y ago

Youch, that's out of our price range for sure. Was that an upfront advertised cost or did you end up getting strung along to it?

alltakendamned5y ago

Not OP, in general you need to count a minimum of 1K USD per manday unless you go with automated services which might or might not actually give you what you need.

codegeek5y ago· 1 in thread

I am not a security expert but I always start with OWASP Top 10 for bare minimum:

https://owasp.org/www-project-top-ten/

Go through each item and test your application for vulnerabilities against those.

dataduckOP5y ago

Thanks, this looks like a good place to start.

zelphirkalt5y ago

If you want something good, it might be a good idea to not choose someone "your investor knows" and would like you to work with, unless those security people are well known. Investors potentially have other investments going on, which you might not know about.

Another option you can look at are bug bounty programs such as bugcrowd or hackerone.

j / k navigate · click thread line to collapse