> As a small company with limited budget who is looking to have its application tested, how can we differentiate between good firms and firms that will just run a scanner and charge you $5000?
Reputation, mostly. It's easier for the large firms that everyone is familiar with. For smaller firms, you probably want to get a strong referral from someone who has been through this before. Also, ask the consultant(s) performing the assessment what they'll be doing in some technical depth to see how familiar they are with a penetration test/source code review outside of running Acunetix or Burp Suite Scanner. They shouldn't shy away from talking about what specific technical vulnerabilities they feel they're likely to find when you describe your app and its stack off the top of their heads.
> Also, is it a good idea to hire a freelancer to pen-test your application?
Theoretically, this is a good cost savings versus a firm. But in practice, it's hard to do correctly because you really need to be sure that the person knows what they're doing. If you want to hire a freelancer, I would suggest looking for very well-known/successful bug bounty participants and security researchers who opened their own solo shops.
Also, shameless plug: if you're looking for a security assessment I'm happy to help you (and if I can't directly, I am nearly positive I can refer you to very competent smaller firms for your budget). Feel free to get in touch.
Reputation, mostly. It's easier for the large firms that everyone is familiar with. For smaller firms, you probably want to get a strong referral from someone who has been through this before. Also, ask the consultant(s) performing the assessment what they'll be doing in some technical depth to see how familiar they are with a penetration test/source code review outside of running Acunetix or Burp Suite Scanner. They shouldn't shy away from talking about what specific technical vulnerabilities they feel they're likely to find when you describe your app and its stack off the top of their heads.
> Also, is it a good idea to hire a freelancer to pen-test your application?
Theoretically, this is a good cost savings versus a firm. But in practice, it's hard to do correctly because you really need to be sure that the person knows what they're doing. If you want to hire a freelancer, I would suggest looking for very well-known/successful bug bounty participants and security researchers who opened their own solo shops.
Also, shameless plug: if you're looking for a security assessment I'm happy to help you (and if I can't directly, I am nearly positive I can refer you to very competent smaller firms for your budget). Feel free to get in touch.