Slashdot Mirror
Best Security / Vulnerability Testing Firms for Web Apps?
An anonymous reader writes "I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class. We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase security. We'd like a third-party to perform exhaustive and ongoing security tests: automated tests, application testing, and more, to check for things like cross-site scripting issues, server misconfigurations, form/hidden field manipulation, command injection, cookie poisoning, known platform vulnerabilities, etc. What companies would Slashdot readers recommend for these types of services?"
You'll get many people who'll do it for free just to knock you down and to prove their superior intellect.
> They are pretty much the standard in most large sized organizations.
Standard doesn't mean good. Windows is also pretty much the standard in most large sized organizations.
Most of the information security consulting companies are relatively small shops (5-50 people is common) with a handful of customers each. There is also a number of security testing divisions attached to some of the largest all-around international consulting firms, but they are relied upon primarily for regulatory compliance needs (meaning: "let's get this over with as soon as possible"), and they usually combine lack of any identifiable infosec talent with outrageous pricing.
So, with small companies serving non-overlapping groups of customers, it is almost guaranteed that no Slashdotter (of whom only a small fraction deals with information security!) can offer a meaningful, first-hand comparison of the services of key players in the field - and even if this is incorrect, there is absolutely no guarantee that the person telling you about their experiences would in fact have a sufficiently advanced understanding of computer security to make the comparison meaningful.
Unless you have enough in-house expertise and set up some controlled experiments, it's very difficult to tell if a positive outcome of a security audit means you are in the clear, or simply that the auditors are incompetent. To make things worse, even observing that auditor A identified n bugs in the setting in which auditor B identified n+m does not really tell you much, unless you truly understand their impact in the context of your services, or the reporting granularity and thresholds used.
What else? Many of the small companies may rely on PR alone, and some might be outright dishonest, for example releasing inflated security research, or simply astroturfing on Slashdot or elsewhere. And some might be run by people with actual credibility in the industry, but running subpar businesses because of poor project or team management skills. Just because they present at Black Hat, post to BUGTRAQ, or have a book published, does not mean a lot (but is a positive factor, of course).
So there's no easy solution. What you need to do is not to rely on Slashdot to give you answers, and instead, collect all the names you can easily find on the web (and in responses to this thread), then spend several days going through all the freely available primers on web application security... and come up with a decent RFQ that inquiries all the companies about their credentials, methodologies, the tools they use, sample reports they provide, and so forth. Ask technical questions, and expect them to be answered by technical people. You then need to set your bullsh*t detector to overdrive, and be wary of vague, dismissive, or nonsensical responses that look as if written by a marketing drone.
Based on this information, you then need to make the call which one would suit your business best. Good luck. It's not easy.