Slashdot Mirror
Best Security / Vulnerability Testing Firms for Web Apps?
An anonymous reader writes "I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class. We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase security. We'd like a third-party to perform exhaustive and ongoing security tests: automated tests, application testing, and more, to check for things like cross-site scripting issues, server misconfigurations, form/hidden field manipulation, command injection, cookie poisoning, known platform vulnerabilities, etc. What companies would Slashdot readers recommend for these types of services?"
We'll point out any flaws for ya ;)
[FUCK BETA]
I've had the privilege of meeting Jeremiah Grossman at a security conference. I'd recommend reading several of his white papers and then decide if you want to call his company up. I doubt they are cheap, but the best rarely is.
http://www.whitehatsec.com/home/index.html
Siemens Penetration Testing is the best name in the industry. They always leave their clients satisfied through the depth of penetration and their overall thoroughness.
> ... web application ... extremely secure ...
You contradict yourself.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
> They are pretty much the standard in most large sized organizations.
Standard doesn't mean good. Windows is also pretty much the standard in most large sized organizations.
Most of the information security consulting companies are relatively small shops (5-50 people is common) with a handful of customers each. There is also a number of security testing divisions attached to some of the largest all-around international consulting firms, but they are relied upon primarily for regulatory compliance needs (meaning: "let's get this over with as soon as possible"), and they usually combine lack of any identifiable infosec talent with outrageous pricing.
So, with small companies serving non-overlapping groups of customers, it is almost guaranteed that no Slashdotter (of whom only a small fraction deals with information security!) can offer a meaningful, first-hand comparison of the services of key players in the field - and even if this is incorrect, there is absolutely no guarantee that the person telling you about their experiences would in fact have a sufficiently advanced understanding of computer security to make the comparison meaningful.
Unless you have enough in-house expertise and set up some controlled experiments, it's very difficult to tell if a positive outcome of a security audit means you are in the clear, or simply that the auditors are incompetent. To make things worse, even observing that auditor A identified n bugs in the setting in which auditor B identified n+m does not really tell you much, unless you truly understand their impact in the context of your services, or the reporting granularity and thresholds used.
What else? Many of the small companies may rely on PR alone, and some might be outright dishonest, for example releasing inflated security research, or simply astroturfing on Slashdot or elsewhere. And some might be run by people with actual credibility in the industry, but running subpar businesses because of poor project or team management skills. Just because they present at Black Hat, post to BUGTRAQ, or have a book published, does not mean a lot (but is a positive factor, of course).
So there's no easy solution. What you need to do is not to rely on Slashdot to give you answers, and instead, collect all the names you can easily find on the web (and in responses to this thread), then spend several days going through all the freely available primers on web application security... and come up with a decent RFQ that inquiries all the companies about their credentials, methodologies, the tools they use, sample reports they provide, and so forth. Ask technical questions, and expect them to be answered by technical people. You then need to set your bullsh*t detector to overdrive, and be wary of vague, dismissive, or nonsensical responses that look as if written by a marketing drone.
Based on this information, you then need to make the call which one would suit your business best. Good luck. It's not easy.
I worked for KPMG for ten years performing penetration tests. For the last several of those years I ran the teams and worked with clients to scope the work.
The following is true for most big companies that have country or regional teams and for any team for that matter: there are good teams and bad teams. You're going to have to talk to the techies to get comfortable with them.
The bad companies will use a lot of automated methods. For example they'll tell you that they have a software product that does the pen test and then they manually review the output. There are a few of those 'pen test in a box' companies out there you should avoid. Or they'll say they know what they're doing and actually run nmap, nessus and then do some poor manual testing.
What you need is someone who will make use of some automated tools but spend a lot of time manually testing the web application. This means they are manually testings various inputs to see what they can do and they have to know what they're talking about. I don't mind companies that rely on products like WebInspect or AppScan, but that should only be a tool and not the main show. Make sure you ask to talk to the techies and not just the salesguy so you can ask them how a web app should be secured and what kind of things you should look for to get your app in shape before a pen test begins. What often distinguished us was that we could give free advice to help improve security even before our testing began.
Besides some of the teams at KPMG and the other big firms (again, you have to vet each team) I would also suggest Corsaire which is a smaller company.
In terms of scoping work you should ask for an infrastructure test and an application test. If you are really unsure of things you should ask for them also to review your architecture and things like your firewall rules. Expect to pay a minimum of 5k USD but depending on how big your app is you may get as high as 30k. After htat you can look at regular scanning but there are a lot of companies that offer that more cheaply (like Qualys)
Ask whoever you choose to first run an automated scan against the site so you can fix those things before they do their work. Give yourself a few weeks for that. You really really don't want them to test your site before it is ready. Otherwise it might be a waste of money. I now work for another global company but on the other side of the table: I use services from companies like KPMG. I'm still impressed with the service they and some of the biggies give us. They find things that I haven't even had a chance to hear about yet. And occasionally we'll have a really crappy B team that misses things I've already found in our apps but didn't tell them. That tends to happen more from some of our smaller vendors who magically got on our approved tester list.
Your first stop should be OWASP, the Open Web Application Security Project. You'll find there many companies that are experts in web application security, including tools and guides to get a handle on web app sec. I'd also recommend becoming familiar with the OWASP Top 10 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project