API Network * Cost of Ethical Hacking and Software Auditing


	HOME \| ABOUT \| SERVICES \| FREE ADVICE \| NEWS \| OPPORTUNITIES \| CONTACT US

You've been hacked!

... Ever had your wallet stolen? That's what being hacked is like -- but possibly 10,000 times worse (depending on what they stole/destroyed)

What does Ethical Hacking / Code Auditing Cost?

Many clients want to know specifically what we look for when performing a security audit. They are also curious to know how much testing is require and how much it costs.

The simple answer is that the amount of testing you do should be determined by the size of the damage that would result from a breach. If the loss of data is a considerable risk, then a full audit should be conducted on a regular basis. You should be using in-house tools as well as having an outside firm do periodic penetration attacks.

The first step is the code review which covers:

  Configuration errors
  Application loopholes in server code or scripts
  Advice on data that could have been exposed due to past errors
  Testing for known vulnerabilities
  Reducing the risk and enticement to attack
  Advice on fixes and future security plans

What we're looking for and the type of tests we run are based on what's found within the code. For example, if we find weaknesses in a certain portion of the code, there's no reason to try exploiting it. In that case, it would be a waste of time to initiate penetration testing on that section. If we see a hole in a screen door, we don't need misquitos to confirm they're able to enter.

Typical issues uncovered in our testing include

  Back doors and debug options
  Cross-site scripting
  Broken ACLs/Weak passwords
  Weak session management
  Buffer overflows
  Malformed URLs/Forced browsing
  CGI-BIN manipulation
  Form/hidden field manipulation
  Command injection
  Insecure use of cryptography
  Cookie poisoning
  Risk reduction to zero day exploits
  SQL injection
  Server misconfigurations
  Well-known platform vulnerabilities
  Errors triggering sensitive information leak

A full audit depends on a size of the application. For budget purposes, figure about $0.30 per line of code. The deliverable includes a full report on all aspects what was done, what weaknesses were detected and what recommended actions.

Note: Security services are not available to short-term clients.

	Seeking Synergy We really don't want short term clients. Does anyone? We are most eager to meet those who want to combine forces to create something larger than the sum.