New business - website security testing/hacking

ifah · 29-07-2011 4:10pm #1

All.

Just a quick note to ask whether there would be interest out there for website security testing/ethical hacking amongst the SME's in our midst ?

Do many of ye do alot of business online?
What is the integrity of your online presence worth?
Would you pay to have your website professionally hacked?
If you're a web dev would you build it into the price of a website you're delivering?

I'm working towards setting this up as a business venture - about 95% ready and just want to test the Market so to speak. I've been working in IT for the past 15 years and in this field for the last 4 years.

As a couple of examples -
- Tested an online jewellers recently and extracted 3000 credit cards with all of the security info and personal data to go with them - owner had a heart attack coz I did it on my iPhone outside the shop!!
- Hit a sporting goods shop and pulled all info about their previous orders , customers and even managed to add a new discount code giving me 100% discount on all orders.

Feedback would be great.

Thanks to all.

jimmybeige · 29-07-2011 4:45pm

Sounds like a really good idea. What would be the cost of something like this?

tricky D · 29-07-2011 5:01pm

Pen testing has a market, however most companies who are in this market also provide other related services. If you are only doing pen testing you risk finding yourself idle for extended periods. To mitigate for this, you need to provide a wider range of security services. Take a look at the others in the market for ideas.

Watch out for legal stuff re third parties (like hosters).

Good luck.

ifah · 29-07-2011 8:16pm

tricky D wrote: »

Pen testing has a market, however most companies who are in this market also provide other related services. If you are only doing pen testing you risk finding yourself idle for extended periods. To mitigate for this, you need to provide a wider range of security services. Take a look at the others in the market for ideas.

Watch out for legal stuff re third parties (like hosters).

Good luck.

Thanks for the replies. I'm going to concentrate on website vulnerability assessments as opposed to pen testing. I have a long term contract to keep me going during the day so I'm not too worried about idle time.

Price wise I'm thinking under 300 per engagement but yet to be determined.

smtdos · 30-07-2011 12:32am

I think it's a good idea but would be better if u provide the option of fixing the issues u find.

Should a good web developer not avoid these issues in the first place?

Maybe web developers working on sites for clients would use u in a consultancy role during testing phases. IMO the security should be solid at launch/release to the client!

dlofnep · 30-07-2011 12:37am

As someone who's enagaged deeply in web-app security, I can safely say - a substantial portion of web-developer's don't have the slightest clue about security. There's certainly a market for it.

I think you're underselling yourself for 300. I know a guy who pen-tests at 1000 a pop at an entry level, and beyond that for large corporate websites.

dlofnep · 30-07-2011 12:40am

smtdos wrote: »

I think it's a good idea but would be better if u provide the option of fixing the issues u find.

That should be down to the web-developer to resolve. Most web application pen-testing is done with blackbox methods. We generally don't have to see the source-code to know where the attack vectors are.

Now - take for example something like SQL Injection.. We can guess what a query might look like, and in principle what it would take to secure it.. but without the actual source code (which most hackers won't have) - It's down to the web developer to secure the code.

The report can be passed onto the developer to act on, and if they do not know how to act on the advice offered - then they aren't qualified in the first place to be a web developer.

smtdos · 30-07-2011 12:54am

Seems like a good space to be in. Surely we're due some legislation on this issue in the next few years. If so, offering to make clients sites "compliant" could be lucrative.

Obviously its only applicable to certain types of website but I find it alarming that developers can oversee such a crucial component.

TheCostumeShop.ie: Ronan · 02-08-2011 10:26am

Isn't this a very common thing already? Considering all sites that accept payments require PCIDSS. What will differentiate you Hacker Guardian and the other QSA's?

Kinetic^ · 02-08-2011 10:29am

dlofnep wrote: »

I think you're underselling yourself for 300. I know a guy who pen-tests at 1000 a pop at an entry level, and beyond that for large corporate websites.

I agree. It's quite a specialist area and it's not like they're people doing it on every street corner like fixing laptops or providing IT support. I'd be inclined to go double what you've stated and start from there.

ifah · 02-08-2011 12:18pm

TheCostumeShop.ie: Ronan wrote: »

Isn't this a very common thing already? Considering all sites that accept payments require PCIDSS. What will differentiate you Hacker Guardian and the other QSA's?

You would hope so but the jewellers I mentioned had been signed off as pci compliant 3 weeks previously

calahans · 02-08-2011 1:27pm

Think it's a good niche area (relatively speaking). Also agree that 300 is too cheap.

As for hacking the site with the results ready for your client meeting, well you can't beat it for a sales pitch!

New business - website security testing/hacking

Comments