Security audits. Worth it? Who's good?

Question

Hi all,I'm beginning a project which will create a web based software as a service. I've little experience in web security and I'm considering budgeting for a web security audit to find security issues in the finished product. The product itself doesn't need to handle payments or store personal information, although we will need to have account control and accept subscription payments somehow.Those who have some experience here: is getting a security audit worth it in this case? And is there anyone you'd recommend for this?Thanks.

zelphirkalt · Accepted Answer

If you want something good, it might be a good idea to not choose someone "your investor knows" and would like you to work with, unless those security people are well known. Investors potentially have other investments going on, which you might not know about.

codegeek · Answer

I am not a security expert but I always start with OWASP Top 10 for bare minimum:https://owasp.org/www-project-top-ten/Go through each item and test your application for vulnerabilities against those.

k4ch0w · Answer

Yes, generally a security audit is worth it. I am bias as I am a security engineer and have pentested multiple companies during my career.
Theres a cost saving by designing things up front say for GDPR or handling credit cards safely that is worth investing in. Sometimes, a threat modeling session alone could save you time and money in the long term. It's harder to change things when you've built a product, have customers relying on it.
In terms of the actual product, you will have users, they will need to login/logout/reset passwords. Ensure proper authorization and authentication.
How are you handling logs, secrets, 3PP. Do you handle customer input, do you reflect it onto the page, store it in the database? Do you allow them to do HTTP requests? How do you prevent SSRF.
How are you protecting your code? Laptops? Do you have antivirus? Do you patch your infra?
These are the questions you don't really think about, however they can have real consequences if you don't.
In terms of who I'd recommend, you get what you pay for. Generally, I'd look for a small shop in your local area and vet them.
Yearly pentests are a +, and if you do go through an Acquisition or someone trying to whitelabel your product they will want the reports.
If you don't have any revenue yet, do check out OWASP top 10. Run scoutsuite on your AWS/Azure/GCP. Enforce MFA where you can, Github/AWS/Gdrive/O365. Setup SSO right away and just use that to login to all your infra and services. Will save you so much headache down the line. Make sure you keep your logs application and service logs. Try to aggregate them somewhere.

hijinks · Answer

we just went through one and it was one of the security as a service. It was around $18k.So expect to pay around that and a lot more for how in depth you want them to go.

ecesena · Answer

Another option you can look at are bug bounty programs such as bugcrowd or hackerone.

Security audits. Worth it? Who's good?

If you want something good, it might be a good idea to not choose someone "your investor knows" and would like you to work with, unless those security people are well known. Investors potentially have other investments going on, which you might not know about.

I am not a security expert but I always start with OWASP Top 10 for bare minimum:
https://owasp.org/www-project-top-ten/
Go through each item and test your application for vulnerabilities against those.

we just went through one and it was one of the security as a service. It was around $18k.
So expect to pay around that and a lot more for how in depth you want them to go.

Another option you can look at are bug bounty programs such as bugcrowd or hackerone.