Feedback req'd - Website Security / Penetrantion Testing

ifah

All,

We've experienced a stall point in my startup venture that looks like we will be suspended for at least 6 months so I have some time on my hands and am looking towards the next venture.

This event and the recent thread by Dean0088 with regard to his new venture has encouraged me to come back to this forum as a sounding block again. I raised this as a venture a couple of years ago but could not invest energy into getting off the ground as another venture came along.

Background : I'm a self-employed IT Consultant - Enterprise Architecture mainly but have also been working in Online Security for the past number of years on a mainly part time basis. I have a group of very experienced consultant hackers who work for me on an engagement by engagement basis as I need to bring additional skills on board.

We do Online and Application level Security & Vulnerability Assessments with a significant success and happiness rating from our clients.

All of the recent high profile hacking cases have been driving business but the main gap in the market that I see is that most of the smaller operations are either unwilling or cannot afford to go to the big players in the Irish market.

So my questions are :
- Have you completed an impact assessment to your business with a security breach in mind ?
- If you have an online presence, have you considered Security testing ?
- Do you expect your Web Development team to include Security Testing as part of their deliverable ?
- What measures have you taken to secure your online investment ?
- Would you use a smaller operator for Testing services ?
- Could you put a price point on a website vulnerability test (I have price points in mind and obviously this depends on site complexity but would love to see what people would consider affordable / expensive) ?

Any / all feedback would be great.

Thanks.

Graham

You're going to find that a really tough sell, particularly at the small end of the SME market where pretty much all the security work is reactive rather than proactive.

ifah

Graham wrote: »

You're going to find that a really tough sell, particularly at the small end of the SME market where pretty much all the security work is reactive rather than proactive.

Thanks Graham - absolutely it would be a tough sell at the lower end of the SME market - that's what I hope some feedback on this forum will give me. there are obvious economies of scale at play here but small businesses can be generating a significant % of their income from online activities and any interruption to that revenue stream can be hugely troublesome to their business model.

I just hope that I can match my model with some of theirs and generate a business from that.

Peterdalkey

Never give it a thought, we have about 10 sites, 8 of which are boring B2B brochure type sites and landing pages. They are backed up and contain nothing that is not open to public view, in any case. The 2 B2B eComm sites are hosted CMS in a very secure set up run by our provider, Even our own SEO had his benign web scanner crawler booted out!! They are all over security, so we dont bother!
Email and network security are very important to us and we spend good dough on top anti-virus and firewalls... our network guy looks after that aspect.

Peterdalkey

Most of us would not even know what PEN testing is!I suggest you should change the title for more feed back!!

mneylon

The market is already very well served

At the low end there's a load of companies offering website scanning services

At the higher end it's much more specialised and costly

Atomico

ifah wrote: »

All,

We've experienced a stall point in my startup venture that looks like we will be suspended for at least 6 months so I have some time on my hands and am looking towards the next venture.

This event and the recent thread by Dean0088 with regard to his new venture has encouraged me to come back to this forum as a sounding block again. I raised this as a venture a couple of years ago but could not invest energy into getting off the ground as another venture came along.

Background : I'm a self-employed IT Consultant - Enterprise Architecture mainly but have also been working in Online Security for the past number of years on a mainly part time basis. I have a group of very experienced consultant hackers who work for me on an engagement by engagement basis as I need to bring additional skills on board.

We do Online and Application level Security & Vulnerability Assessments with a significant success and happiness rating from our clients.

All of the recent high profile hacking cases have been driving business but the main gap in the market that I see is that most of the smaller operations are either unwilling or cannot afford to go to the big players in the Irish market.

So my questions are :
- Have you completed an impact assessment to your business with a security breach in mind ?
- If you have an online presence, have you considered Security testing ?
- Do you expect your Web Development team to include Security Testing as part of their deliverable ?
- What measures have you taken to secure your online investment ?
- Would you use a smaller operator for Testing services ?
- Could you put a price point on a website vulnerability test (I have price points in mind and obviously this depends on site complexity but would love to see what people would consider affordable / expensive) ?

Any / all feedback would be great.

Thanks.

Very much a reactive 'we'll sort it if it happens' type thing for the vast majority of your target market. Just wouldn't be on their radar, and even those who are fairly clued in would probably only be doing the minimum amount required in that area.

ifah

Peterdalkey wrote: »

Most of us would not even know what PEN testing is!I suggest you should change the title for more feed back!!

Fair point. Thanks

beauf

ifah wrote: »

... cannot afford to go to the big players in the Irish market....

So price range is the target market?

ifah

Blacknight wrote: »

The market is already very well served

At the low end there's a load of companies offering website scanning services

At the higher end it's much more specialised and costly

Agreed - there are lots of scanning services but that's not what I'm offering. I / we already do all of the specialised testing. I'm trying to work out a model where we can make the specialised services available to a wider market.

Thanks for input.

ifah

beauf wrote: »

So price range is the target market?

Sorry - I don't understand this comment.

ifah

Atomico wrote: »

Very much a reactive 'we'll sort it if it happens' type thing for the vast majority of your target market. Just wouldn't be on their radar, and even those who are fairly clued in would probably only be doing the minimum amount required in that area.

Agreed and that's been my experience with a lot of SME's also. I'm just trying to work out whether there is scope to change this view. Kinda similar to peoples attitude to SEO in fairly recent past - most adopted a build it and they will come attitude.

Graham

SEO equates to additional revenue for most sites though, that makes it a much much easier sell.

ifah

Graham wrote: »

SEO equates to additional revenue for most sites though, that makes it a much much easier sell.

True - it's definitely easier to sell a positive rather than a negative (like security testing) but the media coverage of all of the larger breaches these days make it an easier sell.

beauf

ifah wrote: »

Sorry - I don't understand this comment.

What price range of product are you offering? Under 2k I'm assuming.

ifah

beauf wrote: »

What price range of product are you offering? Under 2k I'm assuming.

Yes for the majority of sites but if it's a complex site / mobile app etc it may cost more..

beauf

Any more and you're competing with the big firms.

uck51js9zml2yt

Small firms don't consider security of their online presence.
We used to tell them about the 5.5bn hacks in 2012 worldwide. It usually got their attention but budget was normally an issue even if they had been hacked.
Uphill battle I would think.