Application Pen Testing & Security Scans - any experience?

Hi,
Has anyone had their Bubble App application penetration tested?

I’ve tried snyk.io for a Vulnerability scan. (I have used Metasploit & OpenVas in a previous life so expect I will apply those soon also).

Any pointers or advice appreciated. Who did you use? Any findings you can share?

Cheers
Lindsay

2 Likes

Anyone got more on this recently?
We know about Bubble’s security practices. And we know how to secure Bubble apps, thanks to @petter @flusk and lots more helpful contributions.

But I can’t see a good collaborative discussion of what is worth doing and paying for in terms of vulnerability scanning, continuous attack monitoring, and so on. Things that services like intruder.io , Astra, Vanta, do. Are these basically a waste of money for Bubble apps/developers because they are doing their scans and tests for things that Bubble takes care of? If so, can Bubble publish some evidence that this is true, so we don’t have to think about spending money on those expensive services?

In other words: If I were a traditional app-builder and had institutional clients who wanted to be reassured that my app was being scanned for vulnerabilities, I’d pay a couple of thousand dollars a year on one of those services. The question is whether I should do this for my Bubble app. (Customers are universities who are VERY strict with their infosec reviews!)

Thanks everyone.

Interesting question!

My take on it is that yes, they will most likely be scanning for the same things that Bubble already are in their own pen tests and audits, and I’m guessing that they don’t know how to scan for security issues that arise with actual Bubble development.

I would get in touch with Bubble and ask them. For example, they can send a SOC2 Type 2 report that confirms security controls etc, as audited by a third party over a few months. Typically, this is what enterprise clients ask for, and might be the same for universities.

How they’d then confirm the actual security of the app is more tricky to answer. Even with Bubble having all the auditing in the world, it’s still perfectly possible to set up an app that’s basically is not secure at all.

It’s hard to answer without knowing their specific requirements (which I imagine they find hard to answer too). Maybe some other Bubblers have had similar discussions.

This is the thing. It’s all well and good providing a SOC 2 compliance report, but if your app has no privacy rules, it’s hardly secure. In addition, there’s no kind of ‘security certification’ for Bubble - there actually isn’t an organisation with credentials that will let them charge thousands for an audit.

I offer audits @ notquiteunicorns.xyz/bubble which almost always expose at least one critical vulnerability. As part of that, we look through everything from the Bubble side to make sure the app’s secure. We can’t provide any guarantees that we’ve found everything, and we can’t provide a stamp and certificate (other than one that perhaps says Audited by NQU - but who would care about that?). Enterprises want Audited to X standard by Y company with Z qualifications.

That said, the best ongoing automated vulnerability scanning for Bubble is currently flusk.eu which is built for Bubble. I’m sure one of the guys there will hop in and talk about plans for official certifications or something :grin:

2 Likes

Audits and certifications might be added by for-profits like Flusk in the future, but widespread acceptance at the enterprise level for tools like Bubble is likely to take more time. The strength of audits, such as SOC2 reports, stems from being a collaborative effort led by accounting associations. These associations gather and assess best practices across members, aiming to uphold high industry standards without direct financial motives. That’s not to say that a certification from someone like Flusk would be worthless, just that it might prove difficult to get it accepted as an industry standard.

Bubble’s simply not there yet, and realistically, I think in the end that Bubble needs to be embraced by those same organizations. While I applaude and support ongoing efforts to collect, organize and benchmark Bubble best practice standards, it’ll be a while until that’s gained industry-wide trust.

That’s from a purely compliance/auditing standpoint; that’s not to say that universities, governments and enterprise clients are not open to collaborating with reputable developers, as evidenced by existing partnerships. The technology is exciting enough for many to do their own due diligence and accept the risk of being an early adopter.

1 Like

Thanks @petter and @georgecollier . I’m very careful about my privacy rules, because with these kinds of customers, I have to be. I have had to show them screenshots of the privacy rules and explain how they work. (Screenshots, d’oh! Wish we could export the privacy rules to a nice format to review and share).

As you say Petter, it’s going to take a while for enterprise acceptance, and probably even longer for public sector/health acceptance. I may be doomed trying to sell Prograds.com to universities. The annoying thing is that it’s so variable. A pretty thin review for the entire state of Texas (TX-RAMP), allowing use in all public sector institutions in the state, but crazy-strict reviews in some colleges.

My question is really more about how to convince them that Bubble takes care of higher-up-the-stack vulnerability stuff ( as documented in their SOC 2 report) and that I don’t really have to worry about those kind of attacks; rather, I have to worry about front-end privileges and data-separation.