

Ask HN: Who do you go with for security audits? - sekasi

As title suggests, when it comes to doing an overall audit of your digital ecosystem, finding vulnerabilities and identifying weaknesses, who do you go to?<p>Finding myself in unfamiliar territory and I would cherish some recommendations. Serious budgets.<p>Thanks
======
netcorps
\- Investigate integrating solutions such as Checkmarx or Veracode into your
SDLC (for ongoing code level static analysis), do not look just for one-off
assessments of your system.

\- Run manual penetration tests or vulnerability assessments depending on your
confidence in the state of your system. Either choose a pentesting boutique
close to you if you like meeting people in person or pick a company that runs
tests with a group of people, not a single auditor. The results will likely be
much better then.

If you're looking for a solution for team based security testing take a look
at [http://www.applause.com/security-
testing](http://www.applause.com/security-testing) (Disclaimer: I am security
team lead at Applause. Disregard that marketing pricing calculator on the
webpage)

If you're looking to test any type of app dealing with the protection of
digital goods, e.g. Books / DRM / Audio / Video / Paid features, we're
specialists for that.

We're deploying teams of white hat security experts to run security tests,
including automatic scans on web, mobile, desktop applications.

General process: => Lead security expert carries out risk assessment to craft
custom test plan => Penetration test or vulnerability assessment (realtime
results in 24/7 web platform) => Deduplicated, validated and prioritized
results with remediation advice => Customer fixes vulnerabilites => Retesting
of vulnerabilities to verify fixes are effective

First results, often critical vulnerabilities, usually trickle in within
minutes of starting the test.

------
xrownow
[https://www.appliedtrust.com/](https://www.appliedtrust.com/)

The great thing here, they don't have any sales people only engineers so when
you call up, you get someone who actually knows what they are talking about.

------
bayonetz
[http://www.praetorian.com/](http://www.praetorian.com/)

These guys were great. I used them for audit of one of our web apps. Their
audit report was easy to digest and take action on.

------
JoachimSchipper
This is rather vague - do you want your network secured, do you want someone
to phish you to convince your boss to invest in additional training, do you
need a webapp pentest, would you like help with a secure software development
process?

(My employer - Fox-IT.com - can help with most of those, but smaller shops
have only a single, focused, team.)

------
dsacco
Hey there, I work at Accuvant on the application security team. We work with a
lot of the top tech companies and Fortune 500. We offer services across the
entire spectrum of security consulting. You can see everything we offer here:
[http://www.accuvant.com/services/enterprise-
consulting](http://www.accuvant.com/services/enterprise-consulting)

If you choose an audit from our company for a web app or mobile app, I (or one
of my coworkers) would be the one doing the audit, so I can answer literally
any question you have about the entire process. I'm not a salesman, and I
don't make commission, so I'll speak very candidly about the process.

My team (application security) primarily performs application penetration
testing and vulnerability assessment where a group of consultants will take a
fine comb to your entire tech stack. If you want to give us source code to
analyze, all the better, and we will do so both manually and using automated
tools. We do not heavily rely on automated tools for any type of testing, and
our technical skill is very high overall on the team, with a huge diversity of
skillsets and experience.

We communicate with clients constantly and send detailed reports at least once
a week detailing our progress and any findings. At the end of the assessment,
we provide a final deliverable which details everything, along with
remediation recommendations and "where to go from here."

A serious audit of your web app will run you in the low tens of thousands,
figure between $10,000 on the low end and $30,000 on the high end - this is
what it will cost at any good firm in the United States. For that price you
will get two weeks or so - 80 hours - of comprehensive testing on your
application. Expect around $20,000. If you're doing something much more
specialized like auditing a cryptosystem or doing reverse engineering, or
packaging red teaming/incident response into the assessment, you're going to
add quite a bit more.

We prefer working on staging or preview environments, but we will test your
production environment if you'd rather we do that. We also accommodate
different hour requests - for example, only performing automated testing
during off-business hours and matching you with a consultant in your time
zone.

Most of our clients choose to book us remotely, but we can and will go onsite
for you if you'd like.

My email is in my profile, so if you'd like to talk more you're more than
welcome to reach out. Good luck!

