Hi,
I’m looking for an expert in security to test my web app for security. Does anyone know if this kind of service exists or if anyone here in Bubble has any experience in auditing our Web apps?
If you can help please get in touch.
Thank you
3 Likes
Thanks for your reply @nocodeventure,
Yes, the idea is to get consent first, but I wanted to first find out if anyone had gone through these steps already or had set up a kind of bug bounty setup to find security vulnerabilities. I don’t know if Bubble does this already… maybe @allenyang can chime in… When I mean security vulnerabilities of course I mean real system backdoors that can allow hackers to penetrate the database.
I already have a lot of security measures in place, but for the business that I have started I want to go one step further. These are just some of the steps we have taken apart from the ones you have already mentioned (Thanks BTW),
- All user data is encrypted using AES 256 bit encryption.
- Keys for encrypted data is held in a different location to Bubble.
- Enforced more secure passwords in Signup (Users have to use passwords with numbers, Upper and lower case letters and special characters).
- Removed ‘Run as’ feature for Collaborators and Admins.
- Removed ‘Run as’ feature for App owners. Not even App owners can look at users data.
- Applied Privacy rules and used conditional statements (Only if user is logged in, Only if user is the creater of X Data type, Only if the user, etc…
- Applied 2FA to the Web App (Not yet implemented)
- Applied 2FA to Bubble account.
- Used a 20+ character long password for Bubble account.
I don’t know if I’m missing anything but if anyone has any other recommendations feel free to join the discussion. I’m curious to see what other people have done to make their app a lot more secure.
Regards
2 Likes
A more easier approach would be to have an integration with an external database like Firebase. 
Privacy rules do go a far way handling security. You can also offer sub apps for each instance on a professional plan if your clients want more assurance of data seperation.
P.S. only if user is logged in can NOT be a good privacy rule. You will need a reference point, for example Data Type Company.
If Current User’s Company is This User’s Company - then allow read/write access.
1 Like
I can dedicate some hours on this if you wish to collaborate on the privacy rules and overall conditional statements on your web app.
Feel free to message me at mido@nocodeventure.com if you’re up for it!
Thanks @nocodeventure,
Yep, I also have some data held in an external database and I don’t hold payment data, Stripe handles that. Forgot to mention that one.
I’m curious to understand the second point you mentioned, using sub apps. The busines is B2C so it would be crazy to setup so many subb apps. More setups more vulnerabilities, right? What do you think?
Yes, they are used in combination. If user is logged and is the creator of X data type.
Thanks for the offer @nocodeventure. I’m ok on this bit.
Regards
1 Like
Yea totally agree here. Sub apps are more for B2B. I wouldn’t worry too much, privacy rules and a good privacy policy are the key factors here.
Good work so far!
1 Like
Great points. Please share learnings
@mangooly … are you able to share the site … I’ve been doing a bit of pen-testing lately using my tools (no formal qualification or experience) 
It’s quite amazing, the things you find.
email: santosh@n0c0de.com
twitter: https://twitter.com/n0c0de1
web: https://www.n0c0de.com (with two zeroes 
)
Users are free to get black box penetration tests done on their apps - we just request that you let us know ahead of time which app and what time window the test will be done.
Bubble also does acknowledge those who let us know (in an appropriate manner ) about security vulnerabilities: https://bubble.io/security_acknowledgements
5 Likes
We developed a little tool that takes care of an initial and simple audit of your privacy rules: https://apicheck.ideable.co/
If you see issues there, you know you have work to do
9 Likes
Hi @allenyang,
Thanks for the reply.
Do you know any popular and well known companies that provide these services?
Thanks
Hi @n0c0de,
I still haven’t gone live. What kind of tests can you provide? Maybe we can try once we go live.
Regards
No particular recommendations here, but a ‘black box pen test’ is a known product / service, so you should be able to find a range of providers and find one suitable for your need + budget
3 Likes
3 Likes