Forum Academy Marketplace Showcase Pricing Features

Ethical hacker around to test my Web app security?

Hi,

I’m looking for an expert in security to test my web app for security. Does anyone know if this kind of service exists or if anyone here in Bubble has any experience in auditing our Web apps?

If you can help please get in touch.

Thank you

2 Likes

Thanks for your reply @nocodeventure,

Yes, the idea is to get consent first, but I wanted to first find out if anyone had gone through these steps already or had set up a kind of bug bounty setup to find security vulnerabilities. I don’t know if Bubble does this already… maybe @allenyang can chime in… When I mean security vulnerabilities of course I mean real system backdoors that can allow hackers to penetrate the database.

I already have a lot of security measures in place, but for the business that I have started I want to go one step further. These are just some of the steps we have taken apart from the ones you have already mentioned (Thanks BTW),

  1. All user data is encrypted using AES 256 bit encryption.
  2. Keys for encrypted data is held in a different location to Bubble.
  3. Enforced more secure passwords in Signup (Users have to use passwords with numbers, Upper and lower case letters and special characters).
  4. Removed ‘Run as’ feature for Collaborators and Admins.
  5. Removed ‘Run as’ feature for App owners. Not even App owners can look at users data.
  6. Applied Privacy rules and used conditional statements (Only if user is logged in, Only if user is the creater of X Data type, Only if the user, etc…
  7. Applied 2FA to the Web App (Not yet implemented)
  8. Applied 2FA to Bubble account.
  9. Used a 20+ character long password for Bubble account.

I don’t know if I’m missing anything but if anyone has any other recommendations feel free to join the discussion. I’m curious to see what other people have done to make their app a lot more secure.

Regards

2 Likes

A more easier approach would be to have an integration with an external database like Firebase. :slight_smile:

Privacy rules do go a far way handling security. You can also offer sub apps for each instance on a professional plan if your clients want more assurance of data seperation.

P.S. only if user is logged in can NOT be a good privacy rule. You will need a reference point, for example Data Type Company.

If Current User’s Company is This User’s Company - then allow read/write access.

1 Like

I can dedicate some hours on this if you wish to collaborate on the privacy rules and overall conditional statements on your web app.

Feel free to message me at [email protected] if you’re up for it!

Thanks @nocodeventure,

Yep, I also have some data held in an external database and I don’t hold payment data, Stripe handles that. Forgot to mention that one.

I’m curious to understand the second point you mentioned, using sub apps. The busines is B2C so it would be crazy to setup so many subb apps. More setups more vulnerabilities, right? What do you think?

Yes, they are used in combination. If user is logged and is the creator of X data type.

Thanks for the offer @nocodeventure. I’m ok on this bit.

Regards

1 Like

Yea totally agree here. Sub apps are more for B2B. I wouldn’t worry too much, privacy rules and a good privacy policy are the key factors here.

Good work so far!

1 Like

Great points. Please share learnings :slight_smile:

@mangooly … are you able to share the site … I’ve been doing a bit of pen-testing lately using my tools (no formal qualification or experience) :smiley:

It’s quite amazing, the things you find.

email: [email protected]
twitter: https://twitter.com/n0c0de1
web: https://www.n0c0de.com (with two zeroes :wink: )

Users are free to get black box penetration tests done on their apps - we just request that you let us know ahead of time which app and what time window the test will be done.

Bubble also does acknowledge those who let us know (in an appropriate manner :slight_smile: ) about security vulnerabilities: https://bubble.io/security_acknowledgements

4 Likes

We developed a little tool that takes care of an initial and simple audit of your privacy rules: https://apicheck.ideable.co/

If you see issues there, you know you have work to do :wink:

6 Likes

Hi @allenyang,

Thanks for the reply.

Do you know any popular and well known companies that provide these services?

Thanks

Hi @n0c0de,

I still haven’t gone live. What kind of tests can you provide? Maybe we can try once we go live.

Regards

Hello, how are you? Sorry, I’m written in English, I am Brazilian. This type of service does exist, and is known as Pentest - focused on finding security flaws in the application and reports to the contractor to address them by report, I have a good knowledge of this area I have already taken a course in the area of ​​information security. But Iwill say that in most pentest web is database and failure in sql, xss, brute force and social engineering or more common use the software Burp Suite as a proxy to obtain requests from your application and be able to manipulate the input data to obtain credentials. :slightly_smiling_face:

1 Like

No particular recommendations here, but a ‘black box pen test’ is a known product / service, so you should be able to find a range of providers and find one suitable for your need + budget

3 Likes

Hi @mangooly no particular method. But mostly experiments similar to what @luiscarlosdesouza described above. It’s not my core are though by any measure

1 Like
3 Likes

I used to work for a company called OnSecurity who charge by the hour rather than by the day for penetration testing so it’s a lot cheaper than usual pen testing.

2 Likes

Just for advice, you can use https://securityforeveryone.com/ free tools.

3 Likes

Hi Maggooly,
I used a penetration testing service some months ago by UTMStack, and the price was good https://utmstack.com/.

1 Like