

Ask HN: Any recommended companies that can do security audits for startups? - bhb

I'm wondering whether or not a professional security audit would be a good investment. While we're working hard to build a very secure system, I think an outside perspective could help us identify threats we hadn't considered.
======
jamess
What sort of price are you looking to pay? I've written a lot of secure
software in the past, and I may well be able to recommend a couple of firms
who have done a similar job for me but I'm afraid they don't come terribly
cheap.

~~~
bhb
Honestly, I don't really know what kind of price is standard (or even the
amount of time a audit would take). Can you give me a ballpark number?

Off the top of my head (which is likely to be way off), I was expecting
something between $1000 - $3000

~~~
jamess
Oh, OK. The number I was looking for something close to had a couple more
zeros on the end of it, I'm afraid. A decent code audit will take about a
quarter of the time it took to write the code and its accompanying tests, and
is an extremely specialised job. I'm not sure I can recommend anything in that
sort of price range.

What is it you're actually wanting audited, and what is at stake if it turns
out to be broken?

~~~
bhb
I was imagining presenting our security model to someone (or a team), having
them ask questions, and then do some analysis of our systems to make sure
we've implemented the model correctly (and don't have other gaping holes).
Although a full audit of the code would be much more complete and secure, I
was looking for a slightly different risk/cost tradeoff.

~~~
jamess
Generally, this sort of thing isn't worthwhile unless the liabilities you're
exposed to by being broken are in excess of about $10M. Anything less than
that, and it's a job for a butch insurance policy.

If you're reasonably confident that you've got a decent security model, and
you've coded it defensively you're probably OK. I wouldn't stress about it too
much at this point.

~~~
bhb
We're certainly under $10M in liability, we're confident in our model, and
we're seeking less formal (but free) feedback from friends and peers on it, so
I think you're right - we just won't stress about it too much right now.

Thanks a lot for the advice. I really appreciate it.

------
yan
Paging tptacek.

