Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Security audits. Worth it? Who's good?
8 points by dataduck on July 22, 2020 | hide | past | favorite | 11 comments
Hi all,

I'm beginning a project which will create a web based software as a service. I've little experience in web security and I'm considering budgeting for a web security audit to find security issues in the finished product. The product itself doesn't need to handle payments or store personal information, although we will need to have account control and accept subscription payments somehow.

Those who have some experience here: is getting a security audit worth it in this case? And is there anyone you'd recommend for this?

Thanks.



If you want something good, it might be a good idea to not choose someone "your investor knows" and would like you to work with, unless those security people are well known. Investors potentially have other investments going on, which you might not know about.


I am not a security expert but I always start with OWASP Top 10 for bare minimum:

https://owasp.org/www-project-top-ten/

Go through each item and test your application for vulnerabilities against those.


Thanks, this looks like a good place to start.


Yes, generally a security audit is worth it. I am bias as I am a security engineer and have pentested multiple companies during my career.

Theres a cost saving by designing things up front say for GDPR or handling credit cards safely that is worth investing in. Sometimes, a threat modeling session alone could save you time and money in the long term. It's harder to change things when you've built a product, have customers relying on it.

In terms of the actual product, you will have users, they will need to login/logout/reset passwords. Ensure proper authorization and authentication.

How are you handling logs, secrets, 3PP. Do you handle customer input, do you reflect it onto the page, store it in the database? Do you allow them to do HTTP requests? How do you prevent SSRF.

How are you protecting your code? Laptops? Do you have antivirus? Do you patch your infra?

These are the questions you don't really think about, however they can have real consequences if you don't.

In terms of who I'd recommend, you get what you pay for. Generally, I'd look for a small shop in your local area and vet them.

Yearly pentests are a +, and if you do go through an Acquisition or someone trying to whitelabel your product they will want the reports.

If you don't have any revenue yet, do check out OWASP top 10. Run scoutsuite on your AWS/Azure/GCP. Enforce MFA where you can, Github/AWS/Gdrive/O365. Setup SSO right away and just use that to login to all your infra and services. Will save you so much headache down the line. Make sure you keep your logs application and service logs. Try to aggregate them somewhere.


Thanks.

> Generally, I'd look for a small shop in your local area and vet them.

How would you recommend to vet them to someone without a security background?


This, all this ^ (seriously)

I'm an Application Security Champion so I know what I'm talking about (sarcasm).


Whys this downvoted? I am seconding this information. Is it my self-deprecating comment about being an ASC?


we just went through one and it was one of the security as a service. It was around $18k.

So expect to pay around that and a lot more for how in depth you want them to go.


Youch, that's out of our price range for sure. Was that an upfront advertised cost or did you end up getting strung along to it?


Not OP, in general you need to count a minimum of 1K USD per manday unless you go with automated services which might or might not actually give you what you need.


Another option you can look at are bug bounty programs such as bugcrowd or hackerone.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: