I’m a few months from launching my product, and I want - no, need - it to be as secure as possible.
So in a few weeks time, when I think I’ve done all the standard things that make it secure, I’d like to employ the services of a professional hacker to try and break it.
If you know of anyone with the relevent qualifications, please let me know!
I am a professional hacker, i hack bits of code together all day long and when they don’t work i hack it to pieces and move bits around till it works, and sometimes it actually does work.
I assume you are looking for the other type of hacker though, you may have to contact a proper company for that, I think Oracle had an article on hiring an ethical hacker vs a brute force penetration security hacker, but I recall it being very expensive sadly.
Maybe join a few forums on the more seedy side of the web to ask, I am sure someone would be happy to accept the challenge.
Would a Computer Science under-graduate be a possible option? My son is doing CS at Oxford and, whilst he probably wouldn’t be up for this, he’s got friends on the same course who might. And they’re just going into their incredibly long summer holiday! He’s also got a friend doing CS at Durham who has done security testing before so I could ask if he’d be interested.
Hi Jon… yes, that would be amazing if you could do that. I always think that students are an amazing source of help when it comes to very specialist tasks. Thank you!
Not volunteering however there are three levels you need to look at.
Firstly the server itself, if the server is not secure then that potentially lets a hacker in at a level where wappler security becomes irrelevant. I seem to recall you use AWS so that should be pretty good
Second is server connect, security of your server actions which could potential be used to extract/ inject data into your database
Lastly is browser hacks, where users do things like use dev tools to manipulate calls, change hidden input contents etc. This is probably the most common hack
Thanks for that brilliantly succinct summary Brian.
Yes, I have just done all the setup on AWS (which I why I’ve been quiet on here for a few days!). I feel like I have something really solid on there now.
I’ll be going through the SC and AC side in the next week or so to tidy all of that up too…
I’ve had a quick chat with my son and his main comment is that he doesn’t have the experience that you’d get from a pro when it comes to pen testing. He could do the ‘standard’ tests and try to break or hack in but it wouldn’t be anywhere near the level of a pro hacker. But, it would obviously cost a lot less. He’d be happy to ask his friends if they’d be interested but I suspect you really need a pro to have a go at it to the levels of knowing it’s solid. I also suspect the price will be eye watering!
Brian is right on the Server Connect enpoints, we can easily see if those are secured or not and if you have validations and conditions set up on your form posts.
Teodor... yes, thanks for that! I remember reading that article and going
I'm going to be keeping a very close eye on the AWS data traffic as things get moving, and as you know, I'm being very careful with my app to manage too much database access!
So I'm all set up on AWS, but am open to a switch for a very good and manageable reason.
Do you know another provider who is much cheaper on bandwidth but equally (1) secure and (2) easy to set up?
I've no prior experience of hosting setup and I have little time to learn lots of new stuff, so AWS has seemed safe and easy to me...
Have just looked up a comparison article and for AWS:
Bandwidth is charged on a pay-as-you-go basis, and it is calculated on the actual bandwidth usage (GB) in your last month multiplied by AWS bandwidth charges ($0.12/GB). For example, if your server consumed 100GB bandwidth in the month, you will be charged for $12 (100GB x $0.12).
So bandwidth with most server providers usually works out at around $0.01 per GB. AWS on average is $0.12 per GB. Same with Azure, GCP, IBM etc.
Not at small scale, no.
If you scale up or start processing image/video content, large attachments, PDF's then it will start to add up quickly.
That's the problem with these big cloud providers. They make their money on larger users and contracts and aren't really interested in us small fish.
I was planning on writing a tutorial next week on how to setup your own PaaS (Heroku on steroids) on your own server (i.e Digital Ocean $5 droplet) with very little technical experience or maintenance needed. If there's enough interest I'll move it up my list.