Wednesday, May 16, 2012

List of Firms Willing and Able to Fix Vulnerable Code for You


As anyone in Web security will confirm, there’s no shortage of vulnerabilities in custom Web applications. On the average website, WhiteHat Security identifies at least dozens, more often hundreds, of custom Web application vulnerabilities per year. Any one of these vulnerabilities may lead to total or partial system compromise, user account takeover, data loss, fraud, and so on. When such a vulnerability is found, the next task is getting it fixed. The task of vulnerability remediation has proved to be a rather large challenge for many organizations.

Often an organization will want to fix their vulnerable code, but they’re development team is oversubscribed delivering revenue generating features. Diverting their attention is just not an option. Given the choice, the organization may prefer to pay for the problem to go away. In short, to pay someone to come in and fix their vulnerable code for them.

Generally speaking, penetration-testing, vulnerability assessment, source code reviews, etc. whether speaking of tools or service providers, only FIND the vulnerability, they don’t FIX the code. They provide guidance on HOW they recommend the issue is fixed, but not the code fix itself. That’s the organizations responsibility.

Fortunately there are an increasing number of firms who are ready and willing to perform vulnerability remediation services. They’ll actually show up and fix your code! I’ve been building a list of them (see below) because people ask me about this all the time.

It is very important that this list is NOT considered an official endorsement of any kind as I only have personal experience with a few. If you need a recommendation and/or an introduction, just send me an email directly and I’d happy to help out: jeremiah -at- whitehatsec.com.

  1. Accuvant
  2. AhnLab
  3. Aspect Security
  4. AsTech Consulting
  5. Asterisk Information Security
  6. BCC Risk Advisory
  7. Cigital
  8. Denim Group
  9. Foundstone
  10. Gotham Digital Science [2]
  11. iSEC Partners
  12. KPMG (Australia)
  13. Security Compass
  14. Security Innovation

No comments: