Ps_107 wrote:If any of you know of a TRUSTWORTHY candidate with proven credentials, I'd really appreciate some feedback from you.
Even though you can find unethical hackers here, most of the members on this website, are ethical hackers (hence the website name) that are also trustworthy. (Often referred to as Whitehat.)
What you need, is a penetration tester. More specific, someone who knows about Web Application Security, as I figure your online business, is most likely based on a website service.
In order to get a qualified candidate, you should also state what kind of technology your online business is using, such as PHP (or ASP? Or something else?) which is the actual programming language, Webserver architecture (e.g., Apache? Perhaps you're using some not widely used webserver?), and database backend (MySQL? MS SQL? Oracle? Or something else?).
These are very important to mention, as some ethical hackers / penetration testers / web application security (experts), may be specialized in one type of language, database backend, webserver architecture, but also know about the others too naturally.
However, if you're looking for some of the best, state what the person should know about, as not all penetration testers are good at finding unknown vulnerabilities (known as 0days) in web applications, as some of these, actually may know a lot about binary exploit development instead. (Which refers to bugs in actual programs such as a PDF reader from Adobe.)
It's impossible to get a jack of all trades, who will be the best in all areas, so make sure you get what you seek. There's often 3-4 + many more different types I see in the community, where some of these are:
- The Common Pentester / Ethical Hacker
- The Web Application Security Professional
- The Exploit Development Professional
- The Cryptology and Theoretical Professional
- The Security Life Cycle Developer
In your case, if your main concern (where the highest risk is), is the actual web application, then you need to get a web application security professional. (Someone who has specialized in web application security.)
The common pentester (i.e. penetration tester), will just run a few or many tools against your website, and look for known bugs, but that is where the penetration test (or perhaps just vulnerability assessment) ends.
There is a crowd-sourced service, where you can get your service tested, and even specify the rules of engagement, for less than what a normal penetration test or vulnerability assessment often costs.
I am not directly affiliated with this service, but I do participate in some of the tests there, which I take just as serious as any other test. The great thing about this site is that you only pay for the bugs found, so if there's no bugs found, you don't pay anything. (You can also specify the maximum amount of bugs you wish to pay for, so you don't end up having to pay for e.g., 10 bugs which may be out of your budget.)
If you don't think that hatforce seems like a trustable source, then contact the owner as I've recently heard, that they're making a group of selected individuals that they've worked with before, that can be trusted.
It's just a suggestion, as pentests generally costs quite a lot.
It also sounds great you're going to take ethical hacking courses, but keep in mind that you need to devote a lot of time, to become really good. With the right dedication, courses and mentorship, you can take a lot of shortcuts and possibly even save time and money. (Keep in mind a lot of infosec courses are often a bit expensive, but some of them even include certifications.)
If you're a complete beginner, then I suggest you start with e.g., The Hacking Dojo http://hackingdojo.com/
, even though there's other providers as well. The great thing about the hacking dojo, is that you have a mentor, who can help you including other students. (I'm a Shodan student there as well, and whenever I have time I try to contribute to the dojo as well.)
Anyone can become a hacker, but if you want to be good, then you need to dedicate yourself at some point and study hard
That's probably the best recommendations I can give you for now, without knowing anything about your business and you as a person either.
A good section to post this type of request in (for future reference), would be "Looking to Hire". ( http://www.ethicalhacker.net/component/ ... oard,51.0/