I have CEH certification and spent a good few years pen testing for some high profile Clients. For a basic service we would start around €2000 + IVA/Tax. This can quickly add up if onsite visits are required. First we would examine the full source of your project, and your development environment itself (easiest attack vector is to penetrate the developer). An audit could take a week or more (months in some circumstances) and we usually liaise with the host directly, and make them aware of what is about to happen as you don’t want to break your T’s & C’s… We would then move on to your hosting with methodical documented procedures. There is no real quick way of doing this, its not like we fire up nmap and run a scan, then sit on Burp all day poking inputs or skiddie injection techniques… Bit more in-depth than that. As someone who has undertaken such work I’d highly suggest NDA’s are in place with the pen tester, and am sure they will also insist as some techniques and tools will likely be propriety, either way an NDA is pretty much a standard procedure… Be prepared to have your heart ripped out! We have known some organisations even after a dismal report go live with projects only to suffer massive embarrassment further down the line, and obviously with NDA’s in place they don’t get shamed as much as they should, IMHO that is… 
Yes please, very very interested.
Yes, I’d be very interested in that too!
My requirements are:
- Separate database from server so if I change server the database remains.
- Ditto for file storage, so something like AWS S3.
- Automatic minor updates (don’t have time for managing all that manually)
- Data stored encrypted at rest
- Automatic daily database backups
- Nice graphs of server / database performance and database latency times
I want 99.lots of nines percent up time… be interested in your views on what helps or hinders that.
Thankfully my app is pretty well all database based CRUD work so that won’t be an issue… but great to hear your experience of this stuff!
Fantasic to hear of your experience and a brilliantly in-depth overview of what is involved Dave… Thank you!
Am falling into oxymoron land… 
Yes, I become more and more aware of all the sensitive information I am holding on my laptop, on my phone, in my study, somewhere in dropbox etc etc… so I can see how that becomes very relevent too!
I’d be interested to hear people’s experiences of keeping “developer information” safe! 
I haven’t got the time at the moment to go in depth, but past 5 nines of availability and it won’t matter.
99.999% (5 nines) of uptime is equal to about 25 seconds of downtime per 30 days.
Drop that to 4 nines and it works out at less than 1 hour of downtime every year. Unless you have an SLA with your users, IMO 4 nines is plenty and it’s extremely unlikely to become noticeable.
Backblaze has a cool article on data durability when you have some time.
It’s not all about the nines.
You should also be thinking about anycast and failover DNS and multi-zone/region server deployment for outages. But most importantly, a plan for disaster recovery. It all sounds complex but is perfectly doable on smaller budgets.
Good question!
When would we all like one?
My first real job outside of a paper round for the local newsagent was after war dialing Codemasters and Activision, both local to me (as well as DEC and HP). The police arrived at my house with Birtish Telecom and took me to the police station. I then went every weekend to play betas of games for the Spectrum and Commodore at their headquarters every weekend! Carried on the relationship with Codemaster right up until Operation Flashpoint (both the MOD and US DOD were interested in this game (its technology, and possible use for field training) so I then went elsewhere for a few years playing a different type of game).
First Friday after v3 Stable is released? Start a new thread to get some feedback?
Hey Antony, take a look at this comparison, there alternative hosting providers with better infrastructure and cheaper services than amazon: https://www.troyhunt.com/serverless-to-the-max-doing-big-things-for-small-dollars-with-cloudflare-workers-and-azure-functions/
If your planning on selling you app as a B2B, then you can always get them to pen test and more importantly pay for it 
I’d be interested to know what you view as “correctly” @max_gb !
As far as I understand, IAM is about human access to AWS, and since there is only me then I have just set up one IAM account in my name… and I think I have given myself the ability to do pretty well anything I want.
Would you see me setting up something more sophisticated? 
Although it is also worth knowing that I am using Elastic Beanstalk, so the IAM for the environment is set up for me…
You should be safe so long as you follow the AWS docs closely. They have good advice there on their shared responsibility policy.
That’s good to know, I assumed you were going down the EC2 route. In that case then Elastic Beanstalk will create a security group for you so you’re already one step ahead.
Be careful with your S3 permissions if you’re going to use buckets. There have been horror stories recently of unsecured S3 buckets being visible on the net with user data. Don’t forget to make use of CloudWatch too.