One of the things I’m thinking more about as my app grows is how much time and resources I should put into worrying about security.
Of course, there are a number of security measures in place already - following best practice around SQL escaping, XSS, etc.
But I’m wondering whether I should pay for some professional penetration testing or some kind of other service. I talked to a company the other day that said they charge around $8k to $12k for an initial round of penetration testing and an audit. That’s pretty well outside my budget right now though.
A friend of mine also told me about https://hackerone.com/ which looks interesting. Maybe putting a bug bounty up for $500 or something would be a good way to get some attention from white hat hackers and potentially discover important security issues faster and cheaper than paying for an audit.
I’m in ecommerce, so there can potentially be more sensitive data that an attacker could access via my app, than, say, a customer support app.
Would love to hear how others have approached this topic.
I did find this other thread on the topic of security, which had some interesting nuggets in it:
But I thought maybe a separate thread for people to discuss their strategies specifically might be useful.