Card.biz is a tool to create directories. Directories for organizations, that’s means we have to store important datas as phone numbers, emails and hierarchical links.
Our webApp is built with Ruby On Rails, we use https encryption everywhere and off course we respect all good practices.
Hopes it is why we have been added to the Google AppMarket directory in a short time.
During the month of december 2013, a customer asked us to perform penetration tests. First we didn’t want. We were confident and it’s means a lot of money for a startup like Card.biz.
So we do the list :
Con :
- Money
- Time
- No label / No logo to add to our website
Pro
- Testing our skills
- increase our skills
- Fix problems wich could have been missed
- Start to work with a big international company
- Give all customers another reason to trust us
- Write this post :-)
I have to say, the question of the price is HUGE. So we jump.
There are three general types of penetration tests:
- Full-knowledge test. The penetration testing team has as much knowledge as possible about the information system to be evaluated. This type of test simulates the type of attack that might be mounted by a knowledgeable employee of an organization.
- Partial-knowledge test. The testing team has knowledge that might be relevant to a specific type of attack. The testing personnel will be provided with some information that is related to the specific type of information vulnerability that is desired.
- Zero-knowledge test. The testing team is provided with no information and begins the testing by gathering information on its own initiative.
They work during few days and try to find how they can access our datas, datas from ours customers.
We had a mixed feeling, if they find nothing did we loose money ? If they find something, can we fix it easely ?
Then the verdict is in.
No security breach ! \o/
Off course they’ve found a few things. All problem they discovered was for our own service.
We wanted your datas safe, they are.
We now think, it was a good moove to keep our “new big customer” but the cost was really high so hard to tell the ROI for now.
