

Ask YC: "Hacker-testing" service? - ca98am79

I've been working on a web startup with one other co-founder, and I am the only programmer.  I try my best to make things as secure as I can, but it is always better to have another set of eyes looking over things to make sure I am not overlooking something obvious.  Is there any security-auditing or "hacker-testing" services you would suggest that we can use?  We're willing to pay something for this, but we don't have a lot of extra cash to throw around right now.<p>If you can't think of any services like this that you would use, what would you do in my place?  Any advice is greatly appreciated - thank you!
======
aaroneous
Hiring a security expert is generally like most other things you hire an
expert for - expensive. There's a lot to making a website "safe" and it
involves looking at many different aspects from all sorts of different aspects
(time consuming).

If you're trying to determine the hardness of your machines against known
vulns there are two free (oss?) programs I'd recommend: Nessus and Snort. That
may buy you time until you get big enough that you have something more than
script kiddies knocking at your server's doors.

~~~
dguido
> there are two free (oss?) programs I'd recommend: Nessus and Snort

Yeah sure, let me know how that goes for you... Nessus doesn't test websites
and isn't open source (it's free for home use), and Snort isn't a
vulnerability scanner!

To the OP: If you want to test your website for security flaws, you can do the
following (in no particular order):

\- Read the OWASP Top 10: <http://www.owasp.org/index.php/Top_10_2007>

\- Request a free scan from Qualys:
[http://www.qualys.com/forms/trials/qualysguard_trial/?lsid=6...](http://www.qualys.com/forms/trials/qualysguard_trial/?lsid=6390)

\- Download and run w3af: <http://w3af.sourceforge.net/>

\- Buy Burp v1.2 (when it comes out, soon. it's only about $150) and run Burp
Scanner: <http://portswigger.net/suite/>

\- Download Acunetix for a free XSS scanner: [http://www.acunetix.com/cross-
site-scripting/Copy-scanner.ht...](http://www.acunetix.com/cross-site-
scripting/Copy-scanner.htm)

\- Download SQLiX for a free SQL injection scanner:
<http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project>

\- ratproxy is a largely passive web application security audit tool:
<http://code.google.com/p/ratproxy/> and
<http://isisblogs.poly.edu/2008/07/05/ratproxy-151-tutorial/>

\- Test it by hand yourself:

OWASP Testing Guide:
[http://www.owasp.org/index.php/Category:OWASP_Testing_Projec...](http://www.owasp.org/index.php/Category:OWASP_Testing_Project)

OWASP Guide to Building Secure Web Applications:
<http://www.owasp.org/index.php/Category:OWASP_Guide_Project>

OWASP AppSec FAQ: <http://www.owasp.org/index.php/OWASP_AppSec_FAQ>

> Hiring a security expert is generally like most other things you hire an
> expert for - expensive. There's a lot to making a website "safe" and it
> involves looking at many different aspects from all sorts of different
> aspects (time consuming).

Dude, wrong again. The OP probably doesn't have an overly complicated website
given that its just him and his buddy coding for a startup. An expert will
likely estimate the amount of time it takes to test his website in a matter of
[single-digit] hours. Also, webapp testing is the least expensive type of
security testing there is.

~~~
ca98am79
awesome - thanks very much for your help

------
poshj
I remember a few years ago, Yahoo Aussie hired penetration testing IT
consultant to do the "test". As many have pointed out, it's expensive. I
forgot the name of the company but you can google it for "penetration test".
dguido said a few cheaper solutions too.

