[For hire] Free security audits (promotion)
Posted: Wed Apr 06, 2011 12:33 pm
Why is it free and where is the catch?
I've been researching vulnerabilities and secure coding practices for quite some time. I've published a few security articles and I am frequent contributor to the security subforum here. Now I am starting my own security audit business and I'm aiming to bootstrap it with this promotion.
The catch is that I limit the amount of free work on a given site and you only get a report. This comes with no obligation to you, but you are free to express your gratitude by:
- Hiring me for additional security consulting.
- Hiring me for fixing the security problems I found, or audit the fixes made by a third party.
- Giving me permission to publish a short case study, either anonymously or listing you as a client.
- Sending me a paragraph or two of feedback about your experience with my work, which I can use to promote my services.
- Recommending my services around.
What exactly do you offer?
Three hours of "whitebox" source code auditting for absolutely no cost. This would be enough to find the "lowest hanging fruit" vulnerabilities that might lurk in your site. I will concentrate on finding the worst possible security problems, which usually means:
- arbitrary code execution
- authorization bypassing
- access to the database
If the worst thing that can happen to your site is something different (defacement? denial of service? spam?), I can pay specific attention to it as well, within the limits of your three free hours. For larger codebases it might not be possible to cover everything, so we should by all means discuss your priorities.
What do you need to do it and what do I get in the end?
I would need a complete copy of your site source code and database schema which I can install and test locally. I don't need the *data* inside the database, but it would help me test faster if you send it to me. Of course if you keep sensitive data in there, definitely send only the schema. I can help you with this if you need assitance. I will also sign a NDA if you so require.
As a result of the audit, you get a report listing which code areas were covered by the audit and what security problems were found in them. If the time limit permits it, proof-of-concept exploits will be demonstrated.
If you have further questions, post them here or on PM.
I've been researching vulnerabilities and secure coding practices for quite some time. I've published a few security articles and I am frequent contributor to the security subforum here. Now I am starting my own security audit business and I'm aiming to bootstrap it with this promotion.
The catch is that I limit the amount of free work on a given site and you only get a report. This comes with no obligation to you, but you are free to express your gratitude by:
- Hiring me for additional security consulting.
- Hiring me for fixing the security problems I found, or audit the fixes made by a third party.
- Giving me permission to publish a short case study, either anonymously or listing you as a client.
- Sending me a paragraph or two of feedback about your experience with my work, which I can use to promote my services.
- Recommending my services around.
What exactly do you offer?
Three hours of "whitebox" source code auditting for absolutely no cost. This would be enough to find the "lowest hanging fruit" vulnerabilities that might lurk in your site. I will concentrate on finding the worst possible security problems, which usually means:
- arbitrary code execution
- authorization bypassing
- access to the database
If the worst thing that can happen to your site is something different (defacement? denial of service? spam?), I can pay specific attention to it as well, within the limits of your three free hours. For larger codebases it might not be possible to cover everything, so we should by all means discuss your priorities.
What do you need to do it and what do I get in the end?
I would need a complete copy of your site source code and database schema which I can install and test locally. I don't need the *data* inside the database, but it would help me test faster if you send it to me. Of course if you keep sensitive data in there, definitely send only the schema. I can help you with this if you need assitance. I will also sign a NDA if you so require.
As a result of the audit, you get a report listing which code areas were covered by the audit and what security problems were found in them. If the time limit permits it, proof-of-concept exploits will be demonstrated.
If you have further questions, post them here or on PM.