Ask HN: Who do you go with for security audits?

- Investigate integrating solutions such as Checkmarx or Veracode into your SDLC (for ongoing code level static analysis), do not look just for one-off assessments of your system.<p>- Run manual penetration tests or vulnerability assessments depending on your confidence in the state of your system. Either choose a pentesting boutique close to you if you like meeting people in person or pick a company that runs tests with a group of people, not a single auditor. The results will likely be much better then.<p>If you&#x27;re looking for a solution for team based security testing take a look at <a href="http:&#x2F;&#x2F;www.applause.com&#x2F;security-testing" rel="nofollow">http:&#x2F;&#x2F;www.applause.com&#x2F;security-testing</a> (Disclaimer: I am security team lead at Applause. Disregard that marketing pricing calculator on the webpage)<p>If you&#x27;re looking to test any type of app dealing with the protection of digital goods, e.g. Books &#x2F; DRM &#x2F; Audio &#x2F; Video &#x2F; Paid features, we&#x27;re specialists for that.<p>We&#x27;re deploying teams of white hat security experts to run security tests, including automatic scans on web, mobile, desktop applications.<p>General process: =&gt; Lead security expert carries out risk assessment to craft custom test plan =&gt; Penetration test or vulnerability assessment (realtime results in 24&#x2F;7 web platform) =&gt; Deduplicated, validated and prioritized results with remediation advice =&gt; Customer fixes vulnerabilites =&gt; Retesting of vulnerabilities to verify fixes are effective<p>First results, often critical vulnerabilities, usually trickle in within minutes of starting the test.

<a href="https:&#x2F;&#x2F;www.appliedtrust.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.appliedtrust.com&#x2F;</a><p>The great thing here, they don&#x27;t have any sales people only engineers so when you call up, you get someone who actually knows what they are talking about.

<a href="http:&#x2F;&#x2F;www.praetorian.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.praetorian.com&#x2F;</a><p>These guys were great. I used them for audit of one of our web apps. Their audit report was easy to digest and take action on.

This is rather vague - do you want your network secured, do you want someone to phish you to convince your boss to invest in additional training, do you need a webapp pentest, would you like help with a secure software development process?<p>(My employer - Fox-IT.com - can help with most of those, but smaller shops have only a single, focused, team.)

Hey there, I work at Accuvant on the application security team. We work with a lot of the top tech companies and Fortune 500. We offer services across the entire spectrum of security consulting. You can see everything we offer here: <a href="http:&#x2F;&#x2F;www.accuvant.com&#x2F;services&#x2F;enterprise-consulting" rel="nofollow">http:&#x2F;&#x2F;www.accuvant.com&#x2F;services&#x2F;enterprise-consulting</a><p>If you choose an audit from our company for a web app or mobile app, I (or one of my coworkers) would be the one doing the audit, so I can answer literally any question you have about the entire process. I&#x27;m not a salesman, and I don&#x27;t make commission, so I&#x27;ll speak very candidly about the process.<p>My team (application security) primarily performs application penetration testing and vulnerability assessment where a group of consultants will take a fine comb to your entire tech stack. If you want to give us source code to analyze, all the better, and we will do so both manually and using automated tools. We do not heavily rely on automated tools for any type of testing, and our technical skill is very high overall on the team, with a huge diversity of skillsets and experience.<p>We communicate with clients constantly and send detailed reports at least once a week detailing our progress and any findings. At the end of the assessment, we provide a final deliverable which details everything, along with remediation recommendations and &quot;where to go from here.&quot;<p>A serious audit of your web app will run you in the low tens of thousands, figure between $10,000 on the low end and $30,000 on the high end - this is what it will cost at any good firm in the United States. For that price you will get two weeks or so - 80 hours - of comprehensive testing on your application. Expect around $20,000. If you&#x27;re doing something much more specialized like auditing a cryptosystem or doing reverse engineering, or packaging red teaming&#x2F;incident response into the assessment, you&#x27;re going to add quite a bit more.<p>We prefer working on staging or preview environments, but we will test your production environment if you&#x27;d rather we do that. We also accommodate different hour requests - for example, only performing automated testing during off-business hours and matching you with a consultant in your time zone.<p>Most of our clients choose to book us remotely, but we can and will go onsite for you if you&#x27;d like.<p>My email is in my profile, so if you&#x27;d like to talk more you&#x27;re more than welcome to reach out. Good luck!