Security Assurance Review Certificates

daveshearing93 · May 16, 2024, 12:53pm

Hi there,

I have a client that is making an application to a US Government Program (Los Angeles), that has a high level of security requirements for apps to be accepted.

As part of this, they require documented proof of some type of security assurance review from the following:

Vulnerability Scan
Risk Assessment
Security Audit
Penetration Test
Source Code Review

Are any of these something that Bubble would be able to provide a document for that we could present as proof? And how would we go about obtaining this? If not, are there any recommendations on services that would provide such a document in relation to my client’s Bubble app?

Thanks in advance,
Dave.

vnihoul77 · May 16, 2024, 1:33pm

Hey Dave,
I hope you’re doing well.

You can have a look at @flusk’s website and reach out to them. They deliver security audits with certificates for Bubble apps.

daveshearing93 · May 16, 2024, 2:13pm

Thanks! That looks like it will be very useful. I’ll send their website over to my client now.

Much appreciated.

georgecollier · May 16, 2024, 2:24pm

This cannot be provided as Bubble owns the source code of their engine. Logic can be reviewed, but exploits within Bubble’s own platform can still exist and can’t be reviewed as we don’t have the code.

koen1 · June 18, 2024, 3:38pm

hi @daveshearing93
I have a similar question from a potential client.
Did you do an audit with @flusk ? and happy with it? (I reach out but didn’t hear from them yet…)

have you dived deeper into security of bubble and what did you find? for example I know they are SOC2 Type II certified, but I cant find their latest “assurance report” which sometimes SOC 2 Type II certified companies make public.

thanks so much,
Koen

daveshearing93 · June 18, 2024, 4:09pm

Hi Koen,

We went with a Penetration Test with Flusk and have just finished up resolving the issues and have obtained the certificate we needed. We went with the automated test rather than the full service, and I handled the resolution of the issues on my end. The communication was a little spotty, but all good in the end, and the UI and features of the platform seemed great.

In terms of Bubble, they themselves are SOC-2 certified but this doesn’t extend to apps built on Bubble so I don’t think a certificate is obtainable without going through the whole process ourselves. We had a quote for a Type II certification (I believe from SecureFrame) for around $12,500, but luckily it turned out that it wasn’t necessary and the PenTest certificate was enough.

Hope that helps!

koen1 · June 18, 2024, 6:35pm

thanks Dave! very useful. agree on SOC-2. hope to follow the same route. own certification (and following these requirements is too challenging and expensive…

system · July 25, 2024, 12:53pm

This topic was automatically closed after 70 days. New replies are no longer allowed.

Topic		Replies	Views
SOC2 Certification For My App: Need Bubble Docs Need help	9	475	December 21, 2023
Security Audit and Pentesting Jobs / Freelance	7	882	November 2, 2023
Application Pen Testing & Security Scans - any experience? Questions	5	818	April 15, 2024
Bubble security Questions	1	287	May 13, 2022
🔒 [New 2023 - FREE] The Ultimate Bubble Security Cheat-Sheet - How to Build Secure Bubble Apps - 70+ Pages of Concrete Examples Showcase	0	781	April 3, 2023

Security Assurance Review Certificates

Related Topics