Where to find ethical hacker to review code/ give instructions on fix.

[newbie101]

My situation is this. I outsourced a fairly large project. We have just finished up and im sure there are security holes all over the place. I actually had someone run some software and found minor mysql injections issues.

My question is this. From a subjective view (im not technical) what would be the best/smartest way to have someone who knows hacking review my code and give me instructions on fixes.

Currently i have

-ran software (that guy was good but got busy and bailed on me)

-posted some jobs on elance (about 2-3 highly reviewed people bid but still not sure if its the smartest route.

-finally there is a good college nearby with a really good computer science department. Tomorrow i plan on driving there and trying to get an undergrad to start reviewing code.

I would like to hear some feedback, from a non technical standpoint, knowing what you all know, what is the best strategy to securing my website up. Over 500 hour project so far, so pretty big. I noticed when it was too late they are using some GET and POST variables where most likely they shouldn't be. So again, id appreciate the feedback.

[cd1zz]

My company does this if you want a professional organization to have a look. PM if you want more information.

[MaXe]

Talking about proprietary vectors, there's also Hatforce  (There's both public and private / trusted tests, contact them for more info.)

Anyway, I do suggest that you either go through the code, or get someone else to do it. Don't make a program do it for you naturally, as it may as you say, contain several vulnerabilities.

This depends on the developer, if he or she is skilled at writing secure code to protect against (at least) the most common attack vectors nowadays.

It sounds like a good idea to e.g., give an undergrad or someone else a look at your code, but keep in mind, that if this person whether he or she says they know infosec or not, doesn't make it hackproof.

For the most optimal security, you need at least one (skilled) ethical hacker (NOT certified ethical hacker), penetration tester, code reviewer, etc., to test your application. In other words, you need someone who "loves" information security (infosec), who knows their field, and capable of mitigating any risks in the app.

The best way, is to either:
A) Make your app open source so anyone can read the source and hope some hackers review it and make advisories
B) Hire an external company
C) Use it on a website and wait until someone might hack it. (Some companies seems to go with this option, even though I don't recommend it  )

[newbie101]

For the most optimal security, you need at least one (skilled) ethical hacker (NOT certified ethical hacker), penetration tester, code reviewer, etc., to test your application. In other words, you need someone who "loves" information security (infosec), who knows their field, and capable of mitigating any risks in the app.

i agree with this, but i can not find a local guy or anywhere for that matter in which i trust. Problem is its really holding back my launch, and i must get some people there first (like groupon getting businesses to the website first). So i am just trying to figure out the fastest way of doing this and ofcoarse without paying some external 10k to try to hack the site.

You say not "NOT certified ethical hacker" can you tell me why, im guessing they are not good enough p.s. im in NY about 25 mins from manhattan, where would you guys go or how would you pick up an ethical hacker if you knew nothing about it with. Again please its really holding my launch up.

[ajohnson]

i agree with this, but i can not find a local guy or anywhere for that matter in which i trust. Problem is its really holding back my launch, and i must get some people there first (like groupon getting businesses to the website first). So i am just trying to figure out the fastest way of doing this and ofcoarse without paying some external 10k to try to hack the site.

The unfortunate reality of this situation is that securing the application at this point is going to be more time-consuming and expensive since security was an afterthought. I'm not trying to rake you over the coals, but you would have been in a much better position had security been a consideration (and priority) from the start.

If you're serious about this, you should probably avoid students and people looking for work via reverse-auctions online. This type of service requires years of experience and a high level of expertise.

This has now become a business decision where you must weigh the costs of delaying your launch and paying a high cost for professional services to going live immediately and risking an incident that may cause a loss of reputation, or worse scenarios.

You also have to consider the type of data you'll be protecting. Any type of incident is obviously undesirable, but there's a significant difference in impact when you compare an image hosting service and an online banking service. The amount of time and money you invest into security should be proportional to criticality of the data you're trying to protect. You might want to try conducting an informal risk assessment in order to estimate some numbers.

You say not "NOT certified ethical hacker" can you tell me why, im guessing they are not good enough

This is kind of an inside joke. It's a broad certification, and despite it's name, it's really not an accurate indicator of someone's actual skills. That's not to imply that all CEHs are unskilled, just that you shouldn't take it at face value and should also considered other certs, education, work experience, etc.

[newbie101]

Yes i have been searching around i see that being certified is like going to college, many graduates that are smart, but many that know less than a hobo with some experience.

Something actually just came up as i sat and stressed, i realized my cousins best friend does security at a big bank (either manager or physically does the work), they have been best friend for 20 years, he makes real deal money so has no need to steal from little me etc, and he can be trusted. I will call him later and try to get him onboard and hopefully it will be cost efficient. My goal is not even making the security extremely tight right now but i think it would be ridiculous and naive of launching without having a "expert" look at it and either say... hey your screwed, but good luck, or its not that bad just do X.Y, and Z.

Ive built a pretty complex and dynamic site in PHP so im sure there are issues. I had someone review it and said its not bad really at all... he got too busy flying around consulting, i just couldent take the down time... but i think this otherguy will really work out because he will care as if its his own not someone bidding on elance.

I also know someone working at cisco systems, hes a big guy there, he has to know someone who can do this who is good and i can trust, ill reach out to him as well. Googling my way out of this problem obviously isnt happening, time to get away from the computer to solve a computer problem if that makes any sense? Time to use that thing, a pone or phone i think it called.

[sternone]

500 hours total of coding is a project is nothing. That's not a big project.

Reading your post makes me feel that you want the best of the world without paying anything.

"If you give peanuts you get monkeys"

Good luck.

[Jamie.R]

Yes that is total ture I would perfer to pay as least I know there is a good chance they do a good job