PHP Developers Network

[Mordred]

Thinking about starting a small security consulting operation.

On one hand, it's not hard: make a website, find clients, discover security holes, get paid, drink stuff from tall glasses with little paper umbrellas.

On the other hand, I have doubts about the finding clients part.

Web companies who work with lots of customers and handle real money and really need serious security would like to work with "proven" (and larger scale) security vendors, or have their own staff.

Small web sites have virtually zero security budgets and most probably don't even know there's such a thing as a security consultant. Since they also tend to go cheap with their developers, they look like swiss cheese when you look at their code, but unless one is directly hacked, paying for security is not in the plans.

My main concern is whether there is a middle ground in this picture. When hiring programmers, it is somehow implied that the resulting code will be secure. The owners don't have the expertise to judge that (and often the coders as well), so would there be any that are willing to pay for someone else's expertise to check that, even though they have lower budgets?

Does anyone here have experiences or thoughts about this?

[social_experiment]

A middle ground is hard to find in situations like this, where the client has little or no idea what your service is about, but also have no idea how important it is.

If you are set on doing your own thing you could offer services free of charge, to start building a reputation (this contradicts your ‘get paid’ part though). There is also the option of approaching potential clients and selling yourself, you migth catch a break in this manner.

Even though many people are oblivious about security issues until they actually occur, more and more of these oblivioutes are making their way towards the light, increasing chances for work.

[Mordred]

If you are set on doing your own thing you could offer services free of charge, to start building a reputation

This I did, but a coder's forum is obviously not the right publicity platform for it

There is also the option of approaching potential clients and selling yourself, you migth catch a break in this manner.

There are some ethical issues with that, I either have to be spammy (ugh) or target clients with actual vulnerabilities (unauthorized pentesting ... not much different than criminal hacking). This might be a good marketing strategy, actually "Tsk. Tsk. Tsk. These are dangerous times ... It would be a pity if anything happened to your site...". But seriously, there should be a middle ground (one that is morally acceptable) in that too, thanks for bringing it up!

[social_experiment]

There are some ethical issues with that, I either have to be spammy (ugh) or target clients with actual vulnerabilities (unauthorized pentesting ... not much different than criminal hacking). This might be a good marketing strategy, actually

I guess it's a bit different from developers as opposed to security consultants, looking for 'bad' site (poor layouts, etc) is easier than searching for vulnerabilites on sites.

:p I actually had in mind that you could offer a free consult, just highligthing certain aspects say one or two and let that set into the clients' mind ( after which you could give the "It's dangerous times" speech).

[Charles256]

Offer to point out one exploit for free and then go into your spiel. I know I'd give it a whirl to see if you could spot anything for free and if you did I'd be a lot more likely to consider hiring you. Let us know when you get your website up and running.

[greyhoundcode]

If you are set on doing your own thing you could offer services free of charge, to start building a reputation

This I did, but a coder's forum is obviously not the right publicity platform for it

I certainly didn't notice that post.

I mostly build sites based on WordPress, however they often have numerous plugins added. How secure is the plugin code (or even WordPress's own code)? To a large extent I'm taking it on trust.

I up-sell on a number of things and I could see the potential for a security audit being another: it gives customers a warm fuzzy feeling. If you were my "partner" providing the audit service how would pricing work for something like that? A single fee for a particular configuration, or fees per installation tested?

[social_experiment]

greyhoundcode is onto something, this is probably the best way of getting business. Doing security consultation on newly created sites.

I've thought about something related to this: The chances of a website owner (who has no idea about any type of security) paying for a consult is slim because they assume the designer / developer takes care of all the details, security included. They are also likely to inform their designer / developer of the problem who would then proceed to google it and either fix it, or just tell the client that the problem is either fixed (while it isn't) or that it is insignificant.

[Mordred]

How secure is the plugin code (or even WordPress's own code)? To a large extent I'm taking it on trust.

The core wordpress code is allright. There are too many eyes going there, so if you're not using an obsolete version with known vulnerabilities, you should be fine. The plugins are a whole other story, can be anything from rock solid to a sieve of holes, and with not many people interested in them you can't really trust how secure they are. Of course, if it's about a site of Joe's Carwash it wouldn't really matter how secure (or not) it is.

Note that I haven't audited wordpress plugins specifically, but I've worked on various 3rd party forum plugins with similar results.

If you were my "partner" providing the audit service how would pricing work for something like that? A single fee for a particular configuration, or fees per installation tested?

Could be either. I can charge code audits by case or by hours spent. If you commonly use a couple of plugins that's your best shot. Testing particular installations is a different thing, as it is about server configurations, password strength, backup setups and such. For more frequent jobs or a greater volume of work, I can offer a lower "retainer" rate (I'm cheap anyways)

Btw, are you genuinely interested or just asking out of curiosity?

greyhoundcode is onto something, this is probably the best way of getting business. Doing security consultation on newly created sites.

I imagine so, especially since it would allow for the early detection of design-level problems, which will make it cheaper and easier to correct.

----
Thanks for the comments, guys, I've put this project semi-on-hold, as I'm currently knee deep in something else, but "the end is near" so this discussion for different angles is very useful to me.

[greyhoundcode]

Of course, if it's about a site of Joe's Carwash it wouldn't really matter how secure (or not) it is.

Yes, very true! Even if I could make the sell it would be a waste of their money and it wouldn't be great for my reputation.

What I'm thinking of in particular are online stores, which for me typically involve WordPress in concert with a plugin such as Shopp, Jigoshop or similar (but typically Shopp in my case). They are all evolving almost weekly so the potential for new vulnerabilities exists with each iteration - no need to tell you that I'm sure On a number of occasions these plugins are themselves augmented by another plugin, to provide a new capability or whatever.

Btw, are you genuinely interested or just asking out of curiosity?

Right now I would say curiosity, but it is an idea I would definitely explore further - I would really need to sit down and think about how I would sell it - and perhaps PM you with annoying questions to see what is possible.

[Mordred]

Sure, fire 'em up
And I'll go look at those plugins out of curiosity one of these days

[alex.barylski]

Tough market, IMO.

For starters, most small/medium software factories probably prefer to have a on-staff security "expert" - which leads me to my next question. How do you distinguish yourself from other developers who also claim to be security experts?

Personally, if I had a small team I would absolutely hire you to review code before each major release, but you have gained and proven your worth to me many times over thew years on these forums. Your everyday business owner, would have no idea who you are.

I think you need to follow in the steps of Chris Shifflett(sp???) and start building your brand getting exposure and gaining peoples trust if you want to go down that path. The problem most of us face, is that we are developers, architects, security gurus, system admins, not business men. At least that has been my experience.

Cheers,
Alex

[Mordred]

Yeah, I definitely suck at the "marketing" part of this
I did write some security articles, but it's not the "portfolio" one would maybe expect to find. I should maybe start publishing vulnerability reports, although I deal with mostly custom-writ software so it's kinda pointless.
As to how can I distinguish myself - that's why I offer free testing - if I can find what the internal "security guy" missed, one should hire me.

How do you dev guys "push" yourselves? Having a portfolio is understandably a requirement, but it would not be sufficient to hire someone (to me at least) - how do you give "guarantees" that you'll write quality code?

[social_experiment]

How do you dev guys "push" yourselves? Having a portfolio is understandably a requirement, but it would not be sufficient to hire someone (to me at least) - how do you give "guarantees" that you'll write quality code?

For clients i've found quality code means "my website is working" (however working is defined by them) because most of them don't understand the ideas of development, how code works (or should work).

As for the first part of the question i try to keep my code as 'clean' as possible, revising it often, i guess refactoring is a better word to use and lastly looking at code examples on devnet to see if where i make my code (and coding practises) better. Also i read as much as possible about coding as i can find.

[greyhoundcode]

For myself it's pretty much as social_experiment just wrote. I'd add that, on a business level, the most important thing I have learned in the past couple of years is that face-to-face contact, whether that's actually sitting down for a coffee or just over Skype, will seal the deal like nothing else can. Going door-to-door, for want of a better term (that could be doing the rounds of each table at a local lunch and learn or whatever), has won me the majority of my business.

I'm now located in Canada and just became aware of a very interesting study (at least, I thought it was interesting ) suggesting that the "programming" or "software engineering" profession - all-encompassing term though that is - is the number 1 in-demand profession. But it is qualified by the requirement for a programmer to be a great people-person, happy to go and talk to people and to be capable of talking in language a client or partner will understand.

In an environment like this forum people often tend to be purists, which is good. It would be interesting to hear more from Alex who I suspect has taken a different route and has different experiences, but my feeling is that code-quality is not the be all and end all. That is hopefully a controversial remark - I'm sure others will disagree strongly.

[slimgoody]

A middle ground is hard to find in situations like this, where the client has little or no idea what your service is about, but also have no idea how important it is.

If you are set on doing your own thing you could offer services free of charge, to start building a reputation (this contradicts your ‘get paid’ part though). There is also the option of approaching potential clients and selling yourself, you migth catch a break in this manner.

Even though many people are oblivious about security issues until they actually occur, more and more of these oblivioutes are making their way towards the light, increasing chances for work.

I agree, your best bet would be to either start off giving your service for free. Or start up a security blog site, talking about the advantages of securing your website, why you should secure and how to do so; only giving small amounts of information. Give enough information to satisfy the curiosity but not enough to feed the hunger.This could possibly help you build a clientale without really even trying. Once you begin to get noticed for the volunteered information, then you can begin to branch out and start your service. There is definitely a demand for this type of work, I wouldn't pass it up.