Suppose I ran a small company with a small dev and ops team of 3-4 people, running a Rails app with a MySQL database, typical setup say, Nginx front end proxy to servers running mod_passenger, a separate staging and QA environment. What services would you provide to me if I paid you what I would pay a well qualified security person?
Just asking out of curiosity, I've been dabbling in web/app security for the past couple years and know it's a very broad and deep field. I know about protecting against XSS, CSRF, SQL injection, and the basics of OWASP Top 10, but not sure what you'd be doing and how you would provide me service. Would it be an ongoing contract or a one time or as-needed service?
A decent short answer for this is that we'd work it out the same way you'd work it out in the hiring process for a Director of Security: by discussing your needs and determining what we were able, as "one entity", to do. The website gives a sort of sweeping idea of what things we're capable of tackling.
I should add, though, that I think a lot, maybe even most, startups don't need this, or dedicated security of any kind.
Just asking out of curiosity, I've been dabbling in web/app security for the past couple years and know it's a very broad and deep field. I know about protecting against XSS, CSRF, SQL injection, and the basics of OWASP Top 10, but not sure what you'd be doing and how you would provide me service. Would it be an ongoing contract or a one time or as-needed service?
As a side note: http://lcamtuf.coredump.cx/tangled/ makes me feel like I've never considered the possibilities of anything thoroughly.