sithu

Hi,

My partner and I plan to launch a healthcare-related web app in the coming months. We'll be hosting on AWS, with the database on an encrypted EBS volume, all conncetions over HTTPS and we should have two-factor authentication by SMS. We're mostly using the MEAN stack.

I'm not technical, so I'd appreciate some guidance on best security practices that are relevant and feasible for a startup. I doubt we'll have anything financially useful to steal, but my main concern is avoiding leaks of private patient data, of which we might store a limited amount.

1. Is there a checklist/best practices guide somewhere? I'd like to avoid making obvious mistakes that would be embarassing in retrospect, though I know it's hard to defend against someone skilled and determined.

2. Any experience with hiring a firm (like Matasano) for penetrating testing? Rough estimate of cost? When is the right time to consider this?

3. How and when to start a bug bounty program? Is there a standard way to determine severity and payouts?

Thank you!

I'm in the process of building a product for myself and my colleagues. Today I met with someone who wasn't excited about it. The feedback was non-specific, more like 'meh'. Comments like "I don't see myself using something like this." or "I'm busy and wouldn't have time for this."

This really surprised me, because previous feedback from several people had been very positive. I talked to the guy more, but couldn't pin down any particular reason- he just wasn't interested.

This bothers me. What do you guys do with this kind of feedback? I don't think the other people were just being nice, but of course I don't know for sure.

I'm interested in making an offer on a domain that's currently owned by a company. How do I go about estimating a fair value, and making an offer? Is using a domain broker a good idea? Thanks