P16: a blog by Matt Kangas home archive
19 Sep 2008

Website security audits -- how to get on the right track, for web startups

Someone asked me a rather interesting question today, and I'd like to share it (and my reply) with you.

Imagine you're in charge of a internet startup. You haven't launched yet, but the product is coming together and you'll be launching and promoting it soon. Everyone on your small team is working flat-out and doesn't have a second to spare for anything. At. All.

In one of those seconds you didn't have to spare, you think, "How do I ensure our website is secure?" So you don't have a big, gaping security breach on your shiny-new webapp the moment it gets some positive press?

Usually the answer is "Ack! I don't have time for this!" and you move on. Maybe you cross your fingers the next time the thought crosses your mind.

If you happened to be product manager within Yahoo!, instead of a startup, you'd have access to a wonderful resource: the "Paranoids". They're a highly experienced security assessment team who can quickly and clearly spell out best practices, find the booby-traps in your code, and smack your developers' wrists when necessary.

Alas, Yahoo still hasn't bought your startup yet. What now?

Here's how I replied:

I believe that one of the top guys from the Y! Paranoids team while I was there is now available for consulting. George Neville-Neil, http://www.neville-neil.com/ . He's also known as gnn@freebsd.org and is a key FreeBSD contributor. He definitely won't be your typical time-wasting consultant.

The other name that came to mind was L0pht, the old hacker group from Boston. They turned it into a real company, which ultimately swallowed by Symantec, but it seems like a few of the guys behind it have moved on and founded another company, Veracode which does automated security audits. Competitors in that space include Coverity, Fortify and Ounce Labs. Perhaps one of these will be useful?

By the way, I found that latter list of companies in this retrospective on the L0pht folks. It's a good read.

Information Security News: LOpht in Transition (April 2007)