
Ask HN: Security audits. Worth it? Who's good? - dataduck
Hi all,<p>I&#x27;m beginning a project which will create a web based software as a service.  I&#x27;ve little experience in web security and I&#x27;m considering budgeting for a web security audit to find security issues in the finished product.  The product itself doesn&#x27;t need to handle payments or store personal information, although we will need to have account control and accept subscription payments somehow.<p>Those who have some experience here: is getting a security audit worth it in this case?  And is there anyone you&#x27;d recommend for this?<p>Thanks.
======
zelphirkalt
If you want something good, it might be a good idea to not choose someone
"your investor knows" and would like you to work with, unless those security
people are well known. Investors potentially have other investments going on,
which you might not know about.

------
codegeek
I am not a security expert but I always start with OWASP Top 10 for bare
minimum:

[https://owasp.org/www-project-top-ten/](https://owasp.org/www-project-top-
ten/)

Go through each item and test your application for vulnerabilities against
those.

~~~
dataduck
Thanks, this looks like a good place to start.

------
k4ch0w
Yes, generally a security audit is worth it. I am bias as I am a security
engineer and have pentested multiple companies during my career.

Theres a cost saving by designing things up front say for GDPR or handling
credit cards safely that is worth investing in. Sometimes, a threat modeling
session alone could save you time and money in the long term. It's harder to
change things when you've built a product, have customers relying on it.

In terms of the actual product, you will have users, they will need to
login/logout/reset passwords. Ensure proper authorization and authentication.

How are you handling logs, secrets, 3PP. Do you handle customer input, do you
reflect it onto the page, store it in the database? Do you allow them to do
HTTP requests? How do you prevent SSRF.

How are you protecting your code? Laptops? Do you have antivirus? Do you patch
your infra?

These are the questions you don't really think about, however they can have
real consequences if you don't.

In terms of who I'd recommend, you get what you pay for. Generally, I'd look
for a small shop in your local area and vet them.

Yearly pentests are a +, and if you do go through an Acquisition or someone
trying to whitelabel your product they will want the reports.

If you don't have any revenue yet, do check out OWASP top 10. Run scoutsuite
on your AWS/Azure/GCP. Enforce MFA where you can, Github/AWS/Gdrive/O365.
Setup SSO right away and just use that to login to all your infra and
services. Will save you so much headache down the line. Make sure you keep
your logs application and service logs. Try to aggregate them somewhere.

~~~
giantg2
This, all this ^ (seriously)

I'm an Application Security Champion so I know what I'm talking about
(sarcasm).

~~~
giantg2
Whys this downvoted? I am seconding this information. Is it my self-
deprecating comment about being an ASC?

------
hijinks
we just went through one and it was one of the security as a service. It was
around $18k.

So expect to pay around that and a lot more for how in depth you want them to
go.

~~~
dataduck
Youch, that's out of our price range for sure. Was that an upfront advertised
cost or did you end up getting strung along to it?

~~~
alltakendamned
Not OP, in general you need to count a minimum of 1K USD per manday unless you
go with automated services which might or might not actually give you what you
need.

------
ecesena
Another option you can look at are bug bounty programs such as bugcrowd or
hackerone.

