Ethical hacker around to test my Web app security?

mangooly · 2020-10-06T19:46:57.751Z

Hi,

I’m looking for an expert in security to test my web app for security. Does anyone know if this kind of service exists or if anyone here in Bubble has any experience in auditing our Web apps?

If you can help please get in touch.

Thank you

mangooly · 2020-10-07T07:17:46.401Z

Thanks for your reply @nocodeventure,

Yes, the idea is to get consent first, but I wanted to first find out if anyone had gone through these steps already or had set up a kind of bug bounty setup to find security vulnerabilities. I don’t know if Bubble does this already… maybe @allenyang can chime in… When I mean security vulnerabilities of course I mean real system backdoors that can allow hackers to penetrate the database.

I already have a lot of security measures in place, but for the business that I have started I want to go one step further. These are just some of the steps we have taken apart from the ones you have already mentioned (Thanks BTW),

All user data is encrypted using AES 256 bit encryption.
Keys for encrypted data is held in a different location to Bubble.
Enforced more secure passwords in Signup (Users have to use passwords with numbers, Upper and lower case letters and special characters).
Removed ‘Run as’ feature for Collaborators and Admins.
Removed ‘Run as’ feature for App owners. Not even App owners can look at users data.
Applied Privacy rules and used conditional statements (Only if user is logged in, Only if user is the creater of X Data type, Only if the user, etc…
Applied 2FA to the Web App (Not yet implemented)
Applied 2FA to Bubble account.
Used a 20+ character long password for Bubble account.

I don’t know if I’m missing anything but if anyone has any other recommendations feel free to join the discussion. I’m curious to see what other people have done to make their app a lot more secure.

Regards

nocodeventure · 2020-10-07T07:20:04.870Z

A more easier approach would be to have an integration with an external database like Firebase.

Privacy rules do go a far way handling security. You can also offer sub apps for each instance on a professional plan if your clients want more assurance of data seperation.

P.S. only if user is logged in can NOT be a good privacy rule. You will need a reference point, for example Data Type Company.

If Current User’s Company is This User’s Company - then allow read/write access.

nocodeventure · 2020-10-07T07:26:41.045Z

I can dedicate some hours on this if you wish to collaborate on the privacy rules and overall conditional statements on your web app.

Feel free to message me at mido@nocodeventure.com if you’re up for it!

mangooly · 2020-10-07T07:31:14.398Z

Thanks @nocodeventure,

Yep, I also have some data held in an external database and I don’t hold payment data, Stripe handles that. Forgot to mention that one.

I’m curious to understand the second point you mentioned, using sub apps. The busines is B2C so it would be crazy to setup so many subb apps. More setups more vulnerabilities, right? What do you think?

nocodeventure:

P.S. only if user is logged in can NOT be a good privacy rule. You will need a reference point, for example Data Type Company.

Yes, they are used in combination. If user is logged and is the creator of X data type.

nocodeventure:

I can dedicate some hours on this if you wish to collaborate on the privacy rules and overall conditional statements on your web app.

Feel free to message me at mido@nocodeventure.com if you’re up for it!

Thanks for the offer @nocodeventure. I’m ok on this bit.

Regards

nocodeventure · 2020-10-07T08:28:15.725Z

Yea totally agree here. Sub apps are more for B2B. I wouldn’t worry too much, privacy rules and a good privacy policy are the key factors here.

Good work so far!

n0c0de · 2020-10-07T09:32:44.374Z

Great points. Please share learnings

@mangooly … are you able to share the site … I’ve been doing a bit of pen-testing lately using my tools (no formal qualification or experience)

It’s quite amazing, the things you find.

email: santosh@n0c0de.com
twitter: https://twitter.com/n0c0de1
web: https://www.n0c0de.com (with two zeroes )

allenyang · 2020-10-07T13:02:07.583Z

Users are free to get black box penetration tests done on their apps - we just request that you let us know ahead of time which app and what time window the test will be done.

Bubble also does acknowledge those who let us know (in an appropriate manner ) about security vulnerabilities: https://bubble.io/security_acknowledgements

vincent56 · 2020-10-07T14:25:10.999Z

We developed a little tool that takes care of an initial and simple audit of your privacy rules: https://apicheck.ideable.co/

If you see issues there, you know you have work to do

mangooly · 2020-10-07T18:14:16.256Z

Hi @allenyang,

Thanks for the reply.

allenyang:

black box penetration tests

Do you know any popular and well known companies that provide these services?

Thanks

mangooly · 2020-10-07T18:16:33.120Z

n0c0de:

are you able to share the site

Hi @n0c0de,

I still haven’t gone live. What kind of tests can you provide? Maybe we can try once we go live.

Regards

allenyang · 2020-10-07T19:13:31.709Z

No particular recommendations here, but a ‘black box pen test’ is a known product / service, so you should be able to find a range of providers and find one suitable for your need + budget

nocodeventure · 2020-10-08T07:09:24.274Z

Pentest-Tools.com

Website Vulnerability Scanner - Online Scan for Web Vulnerabilities |...

The Web Vulnerability Scanner finds website vulnerabilities like SQLi, XSS, server misconfiguration and many more. Use our Website Scanner to check your web security.