[LRUG] [OT] Third party pen testing - recommendations?

[Mark Woods]

Hi,

Just a quick, and much delayed (sorry), follow up on this...

Thanks again for all of the responses. We ended up using First Base
(http://www.fbtechies.co.uk/) to pen test the pilot version of our
app. We decided to stick with them because they were pre-approved by
the client (which would save us a lot of time and hassle), and because
they were open to negotiation regarding their fees when we told them a
little more about the app (it's really quite a simple app, albeit with
strict security requirements).

We were really very happy with the service in the end, and I'd
recommend considering them if you need to arrange pen testing. They
seemed to do a thorough job even though the testing was done within a
day, and they did actually find two medium risk issues I hadn't
spotted (brute force password attacks weren't covered due to a
misconfiguration, and there was an xss issue due to the use of
respond_with and raw data from the db, sigh). They also rang me during
the day excited that they might have found an issue with the security
of the session cookie (they didn't, but the fact they were excited
that they might have tells me a lot about the kind of people they
are).


Mark