Ask HN: Where can I find a white hat hacker
We run a small startup with very sensitive data. We've done a lot to secure it, but I'd love to get input from a white hat and do some deeper security testing. How do I find a white hat hacker / security expert I can trust and bring into the fold for a security audit?
12 comments
[ 2.6 ms ] story [ 31.7 ms ] threadYou have sensitive data and are worried about security. This is good (far too many people aren't). Bang for buck though, you are going to do better with a very security minded developer. A good developer with OS knowledge can make sure your code base is safe from all the common vulns and follows best practices. In general, that would be a lot more useful to you than someone that would come in and maybe find a hole somewhere.
Now if you did something very nich like invented your own crypto algo, and you need a white hat crypto guy to go test it - sure - get an outside set of eyes. But for someone to check for root access being disabled over ssh and no SQL injections? Seems overkill. Fortune 500 companies will throw millions at white hats, and only find a few vulns. As a startup I don't think you can do that (unless your funding rocks).
1) A developer can only help secure your code base, not your entire infrastructure and company-wide security practices.
2) A single security-minded developer does not suddenly make the rest of your developers more security-minded (not to mention your non-developers).
3) Even the most security-minded developers may lack knowledge of specific security threats. They are primarily focused on development, not keeping up on every new vulnerability or attack technique.
I agree that cost may be an issue, but pretending that security needs can be solved by finding the right developers is pretty short-sighted.
Fortune 500 companies spend millions on pen testing and miss stuff. How much can you afford to spend for a startup, and what will your ROI be?
I have nothing against pen testing. But it should be like your 7th line of defense. Not sure most startups have the other 6 figured out....
Sounds like you want to start with feedback from Wiser Heads about your architecture, rather than a hit-and-run pen test.
We offer web application security assessments, mobile application security assessments and source code review. We also offer company training and reverse engineering services, but I'm assuming you are most interested in web app sec and source code review, correct?
Check us out if you're interested, my email is in my profile. Good luck with whatever you choose.
What stage are you in the SDLC?
My email address is in my profile - happy to chat and help you figure out the best approach.
Note that I have no affiliation with them.
[1] http://census-labs.com/