how much would/should/could it cost to get my app security assessed?
im working on a decentralized chat app. i open sourced it to get feedback on the implementation.
for a project like this, its important for it to be open source in order to gain user confidence in the security. but i find that the project is too complicated for pro-bono security assessment work (which is understandable).
fiverr probably isnt the best place to find reputable support, but i wanted to see the prices. it seems to range from 50 to 5k+
i wont be getting the support any time soon, but id like guage an estimate. i havent done something like this before so any/all advice is appriciated.
I work for a small consulting firm. We do security assessments, but not the kind you’re looking for. I don’t want to sell you anything.
From your intro here, I would expect to book a resource on this project at 50% utilization (to avoid burnout) for about 3 weeks. One week of assessment, one week of report writing, and we’ll say a week of overhead / buffer (to get things rolling / ask questions / interviews / report readout). That’s a total of 60 hours.
My employer is expensive; we charge about $300/hr per resource. That comes out to about $18k. I would call this an upper limit (though in truth there is no upper limit. If you put multiple $700/hr resources on a project and let them bring in SMEs, things get expensive fast)
If you haven’t done a security review before, I wouldn’t worry - you aren’t ready for the $18k service, or the $1k service. You will need a 3rd-party certificate eventually, but right now all you need is trust from your userbase, and openness and transparency are a good initial strategy.
When it’s time, throw a hundred bucks at a local college student who’s into cryptography. Then fix / address all their findings. Then go for the next level, and fix their findings. There will always be findings; what you are buying is user trust. The more in-depth the review, the more trustworthy - but you don’t want the expensive service to be distracted by things a college student could have caught.
I am intoxicated and rambling - let me know what questions you have :)