Andre,

I don't endorse any audit firm because there are too many out there to do so fairly, and I don't work for an audit firm.
Being that you're handling payments, then perhaps the BITS FISAP (Financial Industry Shared Assessment Program) audit process will meet your needs. It is internationally developed and administered. Here are just a couple of reference links and you can certainly search for others.

http://www.mortgagebankers.org/files/Conferences/2006/LegalIssuesInMortg
ageTechnology2006/3-4DataSecurity-MarcLoewenthal.pdf

http://sharedassessments.org/
http://sharedassessments.org/about/
http://sharedassessments.org/assessment-firms/

That type of audit is not cheap (~$100K US for mid-size companies, using reputable audit firms). You could also have your company audited using SSAE-16 models (SOC-1/2/3).
http://www.ssae-16.com/
http://ssae16.com/
The price tag will be about the same though. The BITS audit may be advantageous in that it goes deeper into physical security, development environments, etc., which seem to be important to you. But the SSAE-16 model may be advantageous because it comes with an audit firm's opinion, whereas the BITS report only gives testing results with no opinion on the overall security posture. One size does not fit all.

An ISO 27001 / 27002 audit may be desirable. This list is sorely lacking, but has some audit firms in the UK who provide that service.

http://www.27000.org/consultants.htm#uk

Being that you're with a start-up firm that may not have deep pockets, you could always have your Internet-facing architecture scanned using PCI and other standard web vulnerability tests. That is relatively inexpensive. Then you could bolt on other audits (physical security, policies and procedures, internal vulnerability and risk management, business continuity, change control, network security, etc.) as time and budget allows.
Here is a list of Approved Scanning Vendors of that type.

https://www.pcisecuritystandards.org/approved_companies_providers/approv
ed_scanning_vendors.php

I'm familiar with a few of those vendors, but again I don't want to endorse any firm. I will say that sometimes you get what you pay for. I've seen at least one of those report a number of false-positives on a recurring basis. Their price tag is cheap, but if I have to go behind each report and re-test everything myself only to find and prove that the findings are inaccurate and those vulnerabilities don't exist, then the value of the service certainly diminishes. Food for thought.

Peace,
Vic

----- Original Message -----
From: "Security" <security (at) ignorable (dot) com [email concealed]>
To: security-basics (at) securityfocus (dot) com [email concealed]
Sent: Tuesday, July 10, 2012 10:56:00 AM
Subject: Recommendation for a comprehensive security audit

Hello all,

We are an online payments solution provider start-up in the UK and are
about to roll out our first web application, using fairly standard
technologies like MySQL, Apache, Java, NodeJS, Flash, Flex and so forth.

What we are looking for is a comprehensive security audit encompassing
our production as well as development and office environments, not just
from a technical perspective but also in regards to physical security.
This also needs to include compliance testing for PCI, FSA and possibly
others.

Can someone recommend any companies for this, or alternatively a forum
with reviews of such companies?

Many thanks in advance,

Andre

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]