Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Best Security / Vulnerability Testing Firms for Web Apps? 93

An anonymous reader writes "I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class. We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase security. We'd like a third-party to perform exhaustive and ongoing security tests: automated tests, application testing, and more, to check for things like cross-site scripting issues, server misconfigurations, form/hidden field manipulation, command injection, cookie poisoning, known platform vulnerabilities, etc. What companies would Slashdot readers recommend for these types of services?"
This discussion has been archived. No new comments can be posted.

Best Security / Vulnerability Testing Firms for Web Apps?

Comments Filter:
  • Sandsecurity (Score:2, Informative)

    by Kredal ( 566494 )

    http://sandsecurity.com/ [sandsecurity.com]

    This is one of the things that SandSecurity does for its clients. Try them out!

    Full disclosure: friend of the owner

    • Re: (Score:3, Funny)

      Siemens Penetration Testing is the best name in the industry. They always leave their clients satisfied through the depth of penetration and their overall thoroughness.
      • Do they require a credit card number just to talk to them?
      • Re: (Score:1, Funny)

        by Anonymous Coward

        satisfied through the depth of penetration and their overall thoroughness

        That's what my girlfriend said last night

        • require a credit card number just to talk to them

          That's what my girlfriend said last night

          There, fixed that for you.

    • Ummm... no. If you really want to enlist the services of the best in the field, talk to some folks at ISS [iss.net] (now owned by IBM) about they your threat assessment needs. I've known a couple of guys there for a *long* time, and I can assure you that they are among the absolute best in the industry at penetration testing and forensic analysis.
  • by u38cg ( 607297 ) <calum@callingthetune.co.uk> on Sunday January 11, 2009 @03:54PM (#26409109) Homepage
    We'll point out any flaws for ya ;)
    • Re:Post the URL! (Score:4, Insightful)

      by Samschnooks ( 1415697 ) on Sunday January 11, 2009 @04:26PM (#26409361)
      And be sure to say, "There's nooo way you'll ever be able to hack this site because I'm God's gift to website security."

      You'll get many people who'll do it for free just to knock you down and to prove their superior intellect.

      • I'm thinking that like Sherlock Holmes, if you can get them to bother, Slashdot probably has a fairly strong LightGreyHat population. Isn't this leveraging the power of the net in its grandest form? If Submitter thinks he's got something airtight, let us have at it. You might even fool us into believing it's not advertising!

    • Here is it Mtgoogle.as.com [] tell me once your in.

  • White Hat Security (Score:4, Informative)

    by bfizzle ( 836992 ) on Sunday January 11, 2009 @04:06PM (#26409195)

    I've had the privilege of meeting Jeremiah Grossman at a security conference. I'd recommend reading several of his white papers and then decide if you want to call his company up. I doubt they are cheap, but the best rarely is.

    http://www.whitehatsec.com/home/index.html [whitehatsec.com]

    • by PCGod ( 86295 ) on Sunday January 11, 2009 @05:21PM (#26409871)

      The company I work for hired this firm to test our application late last year. I have been very impressed by their results. They perform both automated and manual testing. I receive an email after each test listing the number of vulnerabilities found and their severity. No details are sent through email. I can then log into their portal and read the details. Once an item has been fixed, you can use their portal to schedule that particular item for retest. The interface seems pretty slick and the people I've worked with on their team have been very easy to work with. I don't know how much they charge, unfortunately. I do plan to look into that once my own web application is far enough along.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      WhiteHat Security and its CTO Jeremiah Grossman are well respected in the web application security arena. The company is also beginning to offer the SAAS model towards testing too. A few other companies worth mentioning by region when it comes to web application security testing include:

      Isec Partners, located in the northwest

      Intrepidus Group, located in the northeast

      Praetorian, located in the central region

  • Securicon worked on my bank's, sorry - financial institution's online finance application. Good enough for my money- good enough for me.
    • Financial institutions don't necessarily have the best possible security, there are plenty of precedents to prove otherwise. They may or may not but I wouldn't use that as a standard. (I've worked in the "moving other peoples' money sector for several years so this is an insider's perspective.)

      I have nothing against Securicon, they may be great, but I'd try to find out who handles testing for the credit bureaus. I've used a web interface with one of them and it was at least secure enough to take effort to u

  • Oxymoron (Score:5, Funny)

    by John Hasler ( 414242 ) on Sunday January 11, 2009 @04:17PM (#26409281) Homepage

    > ... web application ... extremely secure ...

    You contradict yourself.

  • by gqx ( 1293372 ) on Sunday January 11, 2009 @04:42PM (#26409507)

    Most of the information security consulting companies are relatively small shops (5-50 people is common) with a handful of customers each. There is also a number of security testing divisions attached to some of the largest all-around international consulting firms, but they are relied upon primarily for regulatory compliance needs (meaning: "let's get this over with as soon as possible"), and they usually combine lack of any identifiable infosec talent with outrageous pricing.

    So, with small companies serving non-overlapping groups of customers, it is almost guaranteed that no Slashdotter (of whom only a small fraction deals with information security!) can offer a meaningful, first-hand comparison of the services of key players in the field - and even if this is incorrect, there is absolutely no guarantee that the person telling you about their experiences would in fact have a sufficiently advanced understanding of computer security to make the comparison meaningful.

    Unless you have enough in-house expertise and set up some controlled experiments, it's very difficult to tell if a positive outcome of a security audit means you are in the clear, or simply that the auditors are incompetent. To make things worse, even observing that auditor A identified n bugs in the setting in which auditor B identified n+m does not really tell you much, unless you truly understand their impact in the context of your services, or the reporting granularity and thresholds used.

    What else? Many of the small companies may rely on PR alone, and some might be outright dishonest, for example releasing inflated security research, or simply astroturfing on Slashdot or elsewhere. And some might be run by people with actual credibility in the industry, but running subpar businesses because of poor project or team management skills. Just because they present at Black Hat, post to BUGTRAQ, or have a book published, does not mean a lot (but is a positive factor, of course).

    So there's no easy solution. What you need to do is not to rely on Slashdot to give you answers, and instead, collect all the names you can easily find on the web (and in responses to this thread), then spend several days going through all the freely available primers on web application security... and come up with a decent RFQ that inquiries all the companies about their credentials, methodologies, the tools they use, sample reports they provide, and so forth. Ask technical questions, and expect them to be answered by technical people. You then need to set your bullsh*t detector to overdrive, and be wary of vague, dismissive, or nonsensical responses that look as if written by a marketing drone.

    Based on this information, you then need to make the call which one would suit your business best. Good luck. It's not easy.

    • Go to some IT gaint who perform this job like Accenture may be. They have the best of the ability and workforce to do this task.
  • Be sure that, whoever does your testing, your company's "policies and procedures" are both satisfactory and being reliably followed by all employees. Social engineering is quicker, cheaper, easier, and more difficult to detect and track, generally speaking, than hacking in through some obscure loophole in the application.

    Your people need to know what not to do, what not to say, and whom not to talk to, or your iron-clad web app may as well be tin foil. A top-notch security analysis company should be able to

  • by michaelvan ( 1450157 ) on Sunday January 11, 2009 @05:15PM (#26409815)
    I worked for KPMG for ten years performing penetration tests. For the last several of those years I ran the teams and worked with clients to scope the work.

    The following is true for most big companies that have country or regional teams and for any team for that matter: there are good teams and bad teams. You're going to have to talk to the techies to get comfortable with them.

    The bad companies will use a lot of automated methods. For example they'll tell you that they have a software product that does the pen test and then they manually review the output. There are a few of those 'pen test in a box' companies out there you should avoid. Or they'll say they know what they're doing and actually run nmap, nessus and then do some poor manual testing.

    What you need is someone who will make use of some automated tools but spend a lot of time manually testing the web application. This means they are manually testings various inputs to see what they can do and they have to know what they're talking about. I don't mind companies that rely on products like WebInspect or AppScan, but that should only be a tool and not the main show. Make sure you ask to talk to the techies and not just the salesguy so you can ask them how a web app should be secured and what kind of things you should look for to get your app in shape before a pen test begins. What often distinguished us was that we could give free advice to help improve security even before our testing began.

    Besides some of the teams at KPMG and the other big firms (again, you have to vet each team) I would also suggest Corsaire which is a smaller company.

    In terms of scoping work you should ask for an infrastructure test and an application test. If you are really unsure of things you should ask for them also to review your architecture and things like your firewall rules. Expect to pay a minimum of 5k USD but depending on how big your app is you may get as high as 30k. After htat you can look at regular scanning but there are a lot of companies that offer that more cheaply (like Qualys)

    Ask whoever you choose to first run an automated scan against the site so you can fix those things before they do their work. Give yourself a few weeks for that. You really really don't want them to test your site before it is ready. Otherwise it might be a waste of money. I now work for another global company but on the other side of the table: I use services from companies like KPMG. I'm still impressed with the service they and some of the biggies give us. They find things that I haven't even had a chance to hear about yet. And occasionally we'll have a really crappy B team that misses things I've already found in our apps but didn't tell them. That tends to happen more from some of our smaller vendors who magically got on our approved tester list.
  • Cenzic will test your web security for you.
    Check out their "Click to Secure" service.
    They are first class and will tell you if your if things are secure.

  • Just a tip: ask multiple companies to do the first audit. You'll likely get very different results, go from there.

    <shameless plug>
    I do pen tests for clients (both government and banking) via my company. I wouldn't call myself the best, but there's always something that can be found.
    </shameless plug>
  • As someone that used to lead teams that did this kind of work, too little attention was paid to the thoroughness of the testing by both client and testers. "What is supposed to be tested", "what was tested" and "what were the results" were simple questions that I would ask but testers and client were only interested in "what vulnerabilities were found". I could have 100 interesting findings but have only tested 1 out of 10 components that were supposed to be tested - and that was fine! You should make a lis
  • I can't answer the question about recommending a testing company. However, I can tell you that you will need to have your app re-tested at regular intervals, as well as after any change (no matter how small) to the code or infrastructure. You need to build that into your plan and budget, and you need to have the tests run against your staging/QA setup so that you can catch problems before they hit the production site, as well as against your production environment.


  • I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class.

    And your way of approaching this problem is to "ask slashdot"? Ye gods.

    • "Consulting Search Fee Saved, $5000. Giving people the chance to earn Informative Karma, Priceless!"

    • Nothing wrong with tossing a question like this out to Slashdot. Someone might bring up the name of a company of which the OP is unaware, and post other information about what to look for in such a company.

      Actually, that second bit has already happened.

      I have found that even some of the most "stupid" questions posted on Slashdot can generate some interesting discussion. Isn't that the point?

      • But shouldn't somebody who is leading a project which absolutely requires world-class security, already be well-versed in world-class security, rather than not even knowing where to start?
  • I do not think anyone can recommend the "best" company as the criteria for "best" depend on your business needs.
    That being said, I would recommend sending a request for proposal (or call for tender, I never know the correct name for this) to 5 companies with local offices so you can meet the ethical hackers if needed. This is good to avoid relying on a bunch of "not so white hackers" with little knowledge of collateral damages and potential impact of the pentest on the information system.

    Make sure the intru

  • It is rare that I would get into a discussion like this, since it often will devolve into the equivalent of a perl vs python war, or at a minimum, vendors will try to sell their warez.

    When hiring a company for an application penetration test, I like to look towards those who are actively involved in research within the security community, and hire people that contribute to the community heavily as well. For example, does the firm have people on staff that discovered and disclosed new vulnerabilities? Does t

  • OWASP (Score:2, Informative)

    by jerdot ( 1450199 )
    Your first stop should be OWASP [owasp.org], the Open Web Application Security Project. You'll find there many companies that are experts in web application security, including tools and guides to get a handle on web app sec. I'd also recommend becoming familiar with the OWASP Top 10 http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [owasp.org]
  • I know it's sometimes a pain and can take time, but you might want to consider putting out an RFP for an application test. Depending on the size of your company and procurement policies, you might be required to put the job out for bid anyway. It also gives you a good idea about what's out there. Let me warn you however, that if you're only looking to satisfy an audit requirement, you're probably wasting your time, as you'll probably be force to choose the lowest bid, which will most likely provide the leas
  • Security Team at Cornell University are amazing IMO. Talk to them.
  • Security must be world-class.

    "WORLD CLASS: A phrase used by provincial cities and second-rate entertainment and sports events, as well as a wide variety of insecure individuals, to assert that they are not provincial or second-rate, thereby confirming that they are."

  • "We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase security."

    This is by far your biggest security threat that you should worry about before any penetration testing. The idea that implementing policies and procedures will somehow increase security. Relying on humans to adhere correctly to policies and procedures as a security measure is probably a sure fire way to end up with a security leak.

    You should be wo

  • IBM AppScan (AppScan or Enterprise) was developed by Watchfire and than acquired by IBM for the sole purpose of Web application security testing. When you bring in a group of security testers they usually use a tool to help them with the automated testing, but if you get this than you can have your developers do their own testing as well as have security consultants use the data to preform their own pen testing. (Posted it under anonymous without thinking)
  • I would agree with the post in for Jeremiah Grossman at WhiteHat Security. Jeremiah and his team do great work in this space, and their research is top notch.

    I also wanted to offer our company's services as well. InGuardians is also well known in the industry. Our team frequently presents at major security conferences, both commercial (BlackHat, SANS, ...) and community (Defcon, Toorcon, Shmoocon, ...). In fact, I'm sure if you spoke with Jeremiah, he would give us a shining recommendation as well. And

  • I'll add another plug in the parade of shameless plugs.

    My employer is Fortify Software; we make a static analyzer that performs good quality cross tier analysis of popular languages like Java, JavaScript and PHP.

    In addition to the static analysis, we also have a QA assistance tool that uses Java bytecode instrumentation to follow taints dynamically through the application and correlate with the static findings.


Outside of a dog, a book is man's best friend. Inside of a dog, it is too dark to read.