That's a quote from one of my customers — and it's something I hear a lot.
Security creates trust, and trust makes customers pay. So you've got to make sure that your application is secure:
To answer these questions, you need to keep up with your application's security.
Security takes time - time that you don't have. And it's not a very visible feature. Your customers take security for granted. They would rather see That New Feature finally come to life.
Your team and automatic scanners take good care of security. But security is annoying. Software developers and security people need to wear two different hats all the time. So you suspect (or you know!) that after all the development, your team might not always switch the hats quick enough.
It's not that you're paranoid or something. But you need your application to follow the ever-changing security best practices. It's not that your team is sloppy, but it gets in the way and all they want is do their work.
What if you all could get what you wanted?
"The audit was very professional and made our applications so much more secure."Christoph Hugo, Tolingo Translations
What if security would no longer be a hindrance, but a feature? Something that you can announce on your marketing website.
10 years ago when I started with Rails security reviews, there were no automatic scanners. So I read the entire code and we fixed plenty of highs and lows.
Nowadays almost all applications that I audit run an automatic security scanner like brakeman. But still, those scanners don't discover an average of 3 highs per application. That's not because the tools are bad.
But those tools don't know for example:
A manual code security check focuses on the logic of the application and the interaction of all parts. Plus:
The review will focus on the current state of security. But the report will also give recommendations how to take it to the next level.
Let a manual Rails code audit take away the worry & hassle of security.
No need for a lengthy training, a short introduction is enough. After 10 years of Rails auditing, I know where to look. I'll run up the code or you'll provide me with a staging server.
The first part of the report is color-coded according to the severity of the vulnerability. The second part contains my recommendations for how to fix it.
Many security firms work with Big Business, and their price structure reflects that. I prefer to work with self-funded small businesses (like mine) at an affordable price point.
I reserve special time slots for urgent projects, so let's start tomorrow.
"Heiko performed an audit of Churn Buster's card update page functionality and delivered a thorough, well-organized, and thoughtful report. His insights made it easy for us to prioritize improvements and get them on our roadmap along with non-security work."Matt Goldman, Churnbuster
I've done countless Rails audits in the last 10 years. One of the applications is probably very much like your's. I also wrote several books, guides & my thesis about Rails security. And I'm a member of OWASP where I worked on Ruby on Rails security guides.
Yes and no. If you provide me with enough information it can work. But it will take longer and might not be 100%. The reason why all clients preferred a source code audit so far is that it's quicker and more accurate.
Most projects need only a few e-mails and I'm ready to start. Understanding how the app works in detail is a plus. But for a successful audit, I'll only need some technical details.
I specialise in Rails and its' common friends to deliver the best results. But I've also audited Go, Node and PHP apps. E-mail me about X and let's find out.
I'm running a self-funded small business, so my expenses and costs are lower. Please get your non-binding estimate below.
Many clients develop several apps, so a natural division is doing one as a test project. That will give you the freedom to fix similar vulnerabilities in the other apps yourself. And I can immediately verify the fixes in the other apps if you want to continue the audit.
Often it will be easier for you to fix them based on my detailed recommendations with code examples. That's because your team knows the code better. But if you want, I can also help implementing.
No, only me.
I've given discounts to NGOs and micro-businesses in the past. Contact me if you need help.