Best Security / Vulnerability Testing Firms?

Question

I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class.

We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase security.

We'd like a third-party to perform exhaustive and ongoing security tests: automated tests, application testing, and more, to check for things like cross site scripting issues, Server misconfigurations, Form/hidden field manipulation, Command injection, Cookie poisoning, known platform vulnerabilities, etc.

What are the best companies for these types of services?

Answer 1

I am not familiar with companies that provide such services. We use HP application security center. It's an automatic testing tool for validating your application security in the aspects you have mentioned.

Disclaimer: I work for HP software.

Answer 2

S21Sec is a very specialized security firm that holds many important institutions and firms as customers.

Tenable, the creators of the most famous VA-Tool Nessus, have training and certification courses that can also be useful. Nonetheless I don't know if they themselves offer security services.

Counterpane, the company founded by famous cryptoanalyst Bruce Schneier, and now part of BT group, offers the kind of services you are looking for too.

Answer 3

I would definitely go for: http://www.sectheory.com/ the guy who regularly blogs on web security at: http://ha.ckers.org/blog/

Answer 4

I cannot tell you which company is best, but I can mention a class of services/companies that are quite popular that I believe should be avoided. These companies run simple scripts (probably just NMAP) against the subject IP and gather superficial information to report possible vulnerabilities. One popular firm in this category is Scan Alert's "Hacker Safe".

Last year I wrote a post about my experience with this particular company: Is Your Site Hacker Safe?

The problem with Scan Alert, McAffee, etc., is that they simply scan a site for version strings and known vulnerabilities. No regard is given to the fact that some services, like Red Hat Enterprise Linux, will backport security fixes while retaining a prior version identifier. Worse, the actual detection of live vulnerabilities is not attempted so actual security vulnerabilities remain undetected while false positives are distracting attention.

If I truly needed to know if my application or system where vulnerable to attack I would retain the services of a reputable penetration testing consultant. I would not trust automated testing but actual experts who will attempt to exploit any vulnerability my application/system may have.

Answer 5

At this time I will only recommend two firms: Gunnar Peterson of Artec and Nish Bhalla of Security Compass.

Answer 6

First thing, you should realize that you have several different types of options: depending on your budget and actual security needs, you might be well (enough) served by getting an automatic web scanning tool - plenty of those out there. But take into account that these are NOT great, you can expect up to 30-40% of your vulnerabilities found, on the other hand this does help clean up the low hanging fruit that scriptkiddies and the like will be jumping on.

On the other side, maybe what you need is not simply penetration testing, but a more comprehensive security audit, including design reviews, code review, guidelines, etc. The answer for this will typically be different from your original question, which seemed aimed at pentesting. If you do need these, let me know and I can help with that too.

But to your direct question, a good pentesting firm - depends on your region.
I might be biased, but I find Comsec Consulting to be one of the best firms out there, operating mainly in Europe and the area, but also some clients in almost every part of the world - US, South America, Australia, etc. (Biased, because I've worked there for many years up until recently).
Again, depending on your region there are many local, "boutique" type firms, but its important to get references for these from clients who understand security. There are too many in this confusing field that simply feed their unknowing clients some strange info, and these never know better until the day they are hacked with a trivial exploit by scriptkiddies.