100 sats \ 3 replies \ @davidw 3 Apr freebie \ on: Web application security: top 10 vulnerabilities security
Amazing write-up. Lucky to have you here @Azik.
How do you think about overcoming this, if you’re a small under-staffed startup?
Specifically wondering about the benefits of bounties vs internal work vs specialist contractors who work in this area? Or is just something better than burying your head in the sand?
Feels like as you say, quite a large rabbit hole and no perfect security setup for any company, just risk mitigation.
Re: bounties....
For start ups, I would definitely recommend against a public bug bounty program. There are a LOT of bad faith reporters out there who are trying to convince people that their apps are full of critical vulnerabilities, and that can be a lot to weed through. Running a public bug bounty program means you're obligated to respond to every reporter, which can be overwhelming, unless you've hired an employee or a third party triage service like HackerOne to handle that work. Additionally, if your site is still relatively new, it could be more likely to have bugs, and you can find yourself putting bandaids on bandaids. Just paying upfront for a pentest is probably a better use of those resources.
That being said, running an invite-only private program can be somewhat beneficial. You're less likely to get people trying to tell you your exposed google maps API key is a critical finding, and the legitimate reports tend to come in at a more manageable pace.
Re: realistic solutions
Personally, I think trying to find a company or an individual that does consulting for startups is a good way to go, but I don't know of many.
If you're seriously looking for solutions, lmk, I do this kind of thing for a living and I'm actually looking for opportunities at the moment. But I'd be happy to help in whatever way is best for you, so I'd be happy to at least point you in the right direction if I can't help directly. We definitely need more people thinking about this kind of thing.