Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Security / Vulnerability Testing Firms for Web Apps?

Posted by timothy on from the anything-ending-in-.ru-should-be-ok dept.

An anonymous reader writes "I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class. We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase security. We'd like a third-party to perform exhaustive and ongoing security tests: automated tests, application testing, and more, to check for things like cross-site scripting issues, server misconfigurations, form/hidden field manipulation, command injection, cookie poisoning, known platform vulnerabilities, etc. What companies would Slashdot readers recommend for these types of services?"

6 of 93 comments (clear)

  1. Sandsecurity by Kredal · · Score: 1, Informative

    http://sandsecurity.com/

    This is one of the things that SandSecurity does for its clients. Try them out!

    Full disclosure: friend of the owner

    --
    Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
  2. White Hat Security by bfizzle · · Score: 3, Informative

    I've had the privilege of meeting Jeremiah Grossman at a security conference. I'd recommend reading several of his white papers and then decide if you want to call his company up. I doubt they are cheap, but the best rarely is.

    http://www.whitehatsec.com/home/index.html

    1. Re:White Hat Security by PCGod · · Score: 5, Informative

      The company I work for hired this firm to test our application late last year. I have been very impressed by their results. They perform both automated and manual testing. I receive an email after each test listing the number of vulnerabilities found and their severity. No details are sent through email. I can then log into their portal and read the details. Once an item has been fixed, you can use their portal to schedule that particular item for retest. The interface seems pretty slick and the people I've worked with on their team have been very easy to work with. I don't know how much they charge, unfortunately. I do plan to look into that once my own web application is far enough along.

    2. Re:White Hat Security by Anonymous Coward · · Score: 1, Informative

      WhiteHat Security and its CTO Jeremiah Grossman are well respected in the web application security arena. The company is also beginning to offer the SAAS model towards testing too. A few other companies worth mentioning by region when it comes to web application security testing include:

      Isec Partners, located in the northwest
      http://www.isecpartners.com

      Intrepidus Group, located in the northeast
      http://www.intrepidusgroup.com

      Praetorian, located in the central region
      http://www.praetoriangrp.com

  3. You really have to interview them by michaelvan · · Score: 5, Informative

    I worked for KPMG for ten years performing penetration tests. For the last several of those years I ran the teams and worked with clients to scope the work.

    The following is true for most big companies that have country or regional teams and for any team for that matter: there are good teams and bad teams. You're going to have to talk to the techies to get comfortable with them.

    The bad companies will use a lot of automated methods. For example they'll tell you that they have a software product that does the pen test and then they manually review the output. There are a few of those 'pen test in a box' companies out there you should avoid. Or they'll say they know what they're doing and actually run nmap, nessus and then do some poor manual testing.

    What you need is someone who will make use of some automated tools but spend a lot of time manually testing the web application. This means they are manually testings various inputs to see what they can do and they have to know what they're talking about. I don't mind companies that rely on products like WebInspect or AppScan, but that should only be a tool and not the main show. Make sure you ask to talk to the techies and not just the salesguy so you can ask them how a web app should be secured and what kind of things you should look for to get your app in shape before a pen test begins. What often distinguished us was that we could give free advice to help improve security even before our testing began.

    Besides some of the teams at KPMG and the other big firms (again, you have to vet each team) I would also suggest Corsaire which is a smaller company.

    In terms of scoping work you should ask for an infrastructure test and an application test. If you are really unsure of things you should ask for them also to review your architecture and things like your firewall rules. Expect to pay a minimum of 5k USD but depending on how big your app is you may get as high as 30k. After htat you can look at regular scanning but there are a lot of companies that offer that more cheaply (like Qualys)

    Ask whoever you choose to first run an automated scan against the site so you can fix those things before they do their work. Give yourself a few weeks for that. You really really don't want them to test your site before it is ready. Otherwise it might be a waste of money. I now work for another global company but on the other side of the table: I use services from companies like KPMG. I'm still impressed with the service they and some of the biggies give us. They find things that I haven't even had a chance to hear about yet. And occasionally we'll have a really crappy B team that misses things I've already found in our apps but didn't tell them. That tends to happen more from some of our smaller vendors who magically got on our approved tester list.

  4. OWASP by jerdot · · Score: 2, Informative

    Your first stop should be OWASP, the Open Web Application Security Project. You'll find there many companies that are experts in web application security, including tools and guides to get a handle on web app sec. I'd also recommend becoming familiar with the OWASP Top 10 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project