We run a small startup with very sensitive data. We've done a lot to secure it, but I'd love to get input from a white hat and do some deeper security testing. How do I find a white hat hacker / security expert I can trust and bring into the fold for a security audit?
I run Breaking Bits Security (<a href="https://breakingbits.com" rel="nofollow">https://breakingbits.com</a>). We work with a lot of the YC community. Our rates are also a lot more sane than most of the larger consulting shops since we have no sales, marketing or account management teams to support :).<p>We offer web application security assessments, mobile application security assessments and source code review. We also offer company training and reverse engineering services, but I'm assuming you are most interested in web app sec and source code review, correct?<p>Check us out if you're interested, my email is in my profile. Good luck with whatever you choose.
Start a bug bounty and you'll get some attention from white hats. Or post the link here and with your permission I'll give it a quick look through.
I am not sure a white hat is going to add value in most cases.<p>You have sensitive data and are worried about security. This is good (far too many people aren't). Bang for buck though, you are going to do better with a very security minded developer. A good developer with OS knowledge can make sure your code base is safe from all the common vulns and follows best practices. In general, that would be a lot more useful to you than someone that would come in and maybe find a hole somewhere.<p>Now if you did something very nich like invented your own crypto algo, and you need a white hat crypto guy to go test it - sure - get an outside set of eyes. But for someone to check for root access being disabled over ssh and no SQL injections? Seems overkill. Fortune 500 companies will throw millions at white hats, and only find a few vulns. As a startup I don't think you can do that (unless your funding rocks).
I would hire these guys[1]. I used be in the same "crew" with one of them back in 2003. I trust his skills. Some of them are Phrack authors (is this a thing these days? Can't tell).<p>Note that I have no affiliation with them.<p>[1] <a href="http://census-labs.com/" rel="nofollow">http://census-labs.com/</a>
Look for a company offering penetration testing services, there's quite a lot around, from one-person freelancers to large shops with 1000+ employees.
If you need someone to look over your code and configuration to verify that you're secure, check out our work at <a href="https://paragonie.com" rel="nofollow">https://paragonie.com</a> and feel free to send us an email.
What is your motivation for having security testing done? Are you subject to regulatory requirements? Or are you just doing it for your own peace of mind?<p>What stage are you in the SDLC?<p>My email address is in my profile - happy to chat and help you figure out the best approach.