How to properly conduct a security audit?

M

mr_molodoy2021-06-15 12:29:10

Information Security

mr_molodoy, 2021-06-15 12:29:10

Good afternoon.
There was a question about conducting a security check on a number of company sites.
Perhaps someone had a similar experience and can give advice on how to do this job correctly (who to contact, how to find a contractor, how to accept a job, etc.).
As we see: Find a performer (company or individual) who will analyze the sites, provide an audit report (which parts of the web application he checked, for what kind of vulnerabilities / problems, etc.) for a fixed fee. In case of found critical security issues, an additional reward (the size of which determines the criticality of the found vulnerability).

In this case, we are interested in questions about how to accept the work correctly (in fact, we cannot somehow make sure that the work on the submitted report was really carried out, because for this we need to perform this check on all points ourselves. What do we want to avoid
? determine (specify in advance) the cost (the amount of additional remuneration) for the vulnerabilities found and how to correctly classify them.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

U

Uncle Seryozha, 2021-06-29
@Protos

How to get the job done right:
Hire security guards for the duration of the audit / buy a SOC service, configure them to send the necessary logs. The Blue team will be able to see what the Red team is doing and will be able to confirm the depth and breadth of the attacks.
They pay for the general work of checking all agreed vectors, not for specific vulnerabilities. But if you wish, it is better to pay for each task execution vector, the task can be access to such and such information and some kind of action with it.
If you want to pay for specific vulnerabilities, use the bugbounty platform.