
Ask HN: Where can I find a white hat hacker - dynofuz
We run a small startup with very sensitive data. We&#x27;ve done a lot to secure it, but I&#x27;d love to get input from a white hat and do some deeper security testing. How do I find a white hat hacker &#x2F; security expert I can trust and bring into the fold for a security audit?
======
dsacco
I run Breaking Bits Security
([https://breakingbits.com](https://breakingbits.com)). We work with a lot of
the YC community. Our rates are also a lot more sane than most of the larger
consulting shops since we have no sales, marketing or account management teams
to support :).

We offer web application security assessments, mobile application security
assessments and source code review. We also offer company training and reverse
engineering services, but I'm assuming you are most interested in web app sec
and source code review, correct?

Check us out if you're interested, my email is in my profile. Good luck with
whatever you choose.

~~~
vong
A heads up, the source code analysis link is broken.

~~~
dsacco
On the front page? Thanks, just fixed that. It was working in the navigation
bar, just didn't have the most recent link in that section. I appreciate the
heads up :)

------
teenageSec
Start a bug bounty and you'll get some attention from white hats. Or post the
link here and with your permission I'll give it a quick look through.

------
brianwawok
I am not sure a white hat is going to add value in most cases.

You have sensitive data and are worried about security. This is good (far too
many people aren't). Bang for buck though, you are going to do better with a
very security minded developer. A good developer with OS knowledge can make
sure your code base is safe from all the common vulns and follows best
practices. In general, that would be a lot more useful to you than someone
that would come in and maybe find a hole somewhere.

Now if you did something very nich like invented your own crypto algo, and you
need a white hat crypto guy to go test it - sure - get an outside set of eyes.
But for someone to check for root access being disabled over ssh and no SQL
injections? Seems overkill. Fortune 500 companies will throw millions at white
hats, and only find a few vulns. As a startup I don't think you can do that
(unless your funding rocks).

~~~
level3
This seems like a poor approach if you are really serious about the security
of your data. Proper pen testing encompasses more than a single app you may be
developing.

1) A developer can only help secure your code base, not your entire
infrastructure and company-wide security practices.

2) A single security-minded developer does not suddenly make the rest of your
developers more security-minded (not to mention your non-developers).

3) Even the most security-minded developers may lack knowledge of specific
security threats. They are primarily focused on development, not keeping up on
every new vulnerability or attack technique.

I agree that cost may be an issue, but pretending that security needs can be
solved by finding the right developers is pretty short-sighted.

~~~
brianwawok
I think it is a more likely path to success then hiring a pen tester and
hoping he finds all your bugs!

Fortune 500 companies spend millions on pen testing and miss stuff. How much
can you afford to spend for a startup, and what will your ROI be?

I have nothing against pen testing. But it should be like your 7th line of
defense. Not sure most startups have the other 6 figured out....

------
atmosx
I would hire these guys[1]. I used be in the same "crew" with one of them back
in 2003. I trust his skills. Some of them are Phrack authors (is this a thing
these days? Can't tell).

Note that I have no affiliation with them.

[1] [http://census-labs.com/](http://census-labs.com/)

------
alltakendamned
Look for a company offering penetration testing services, there's quite a lot
around, from one-person freelancers to large shops with 1000+ employees.

------
sarciszewski
If you need someone to look over your code and configuration to verify that
you're secure, check out our work at
[https://paragonie.com](https://paragonie.com) and feel free to send us an
email.

------
mreeder
What is your motivation for having security testing done? Are you subject to
regulatory requirements? Or are you just doing it for your own peace of mind?

What stage are you in the SDLC?

My email address is in my profile - happy to chat and help you figure out the
best approach.

