Full Disclosure: I work at ^Lift (liftsecurity.io)
To be honest, we usually bill out by time rather than code base size.
To determine costs, we:
* look at the application size
* estimate how long it will take us to get good coverage
* take in all the other factors (source provided vs blackbox)
* then we give an estimate based on how long we think it will take
I must say that I honestly believe that what we provide is totally worth the money. We work really hard to provide a clear assessment of the problems with recommendations on how to fix them.
We aren't an "automated tool" shop, we actually look at the app and understand how it works and then see how to break it.
But to actually answer your question, having NO IDEA what your application actually is:
(Keep in mind I am not the actual guy who does the bids, I do assessments and training. No promises, please don't fire me, etc.)
Prices vary drastically by project, and it would really depend on what we were looking at.
Just to be clear: any firm charging appsec rates should not be an automated-tool shop. I know there are some firms like that, but we banned scanners altogether the first year we were in business. I used to think we were cool for doing that, but really among the high-end firms that's table stakes.
Don't scope projects based on lines of code; you'll get shafted. Figure out the attack surfaces (for instance, how many app endpoints, how many URL routes, how many roles), come up with a total person/weeks scope, and then (especially if it's your first project) triage: capture the most important attack surfaces in a "pilot" or "90%" project to figure out how well you work with outside security teams.
A good firm will help you do this, gratis, if you're serious about funding the work. We do it "on spec" for most of our clients, even though that work sometimes ending up helping a competitor deliver the project.
It's fine if firms ask you for lines-of-code counts, but if that's the only question they ask, I'd consider that a red flag.
Thanks for the heads up. I had actually mentioedn only KLOCs as an initial number just to have a rough idea; I understand it's not sufficient for a real quote, but I was just looking into ballparks here.
Thomas could give you better numbers here, but in general, appsec reviews cost as much as getting software development done. (i.e. For a security review worth the paper you print the report on, you're looking at $5k at the lower end if your application is simple or if someone wants to really do you a favor, and they get substantially more expensive than that. You can get someone to run an automated scan for $500 and give you a CSV file, but that is not maximally in your interests.)
I'd turn away any client who asked me to do appsec work, because I don't think I'd produce work of a sufficient quality to justify the sort of rates I charge, but I do think I'm probably good enough to roughly scope appsec projects on technologies I understand well. Example: Appointment Reminder is an architecturally simple Rails application. I think an audit of the marketing site, application, and architecture would reasonably require probably 1 to 2 billable weeks depending on how much I asked you to plumb e.g. line-by-line HIPAA requirements, and that would probably run in the $4k to $12k region based on my understanding of prevailing rates for appsec work. (I'm sure that if I had $25k budgeted for that audit many firms could find a way to get me my money's worth for every penny of that budget, by the way.)
A $4k billable week is incredibly cheap, so much so that I'd worry about the team delivering it. Our rates are high because big firms bid them up. Why are the cheap teams turning down free money?
If someone offers you a $4k week, make sure they know they're cutting you a deal.
Hey, just to be clear: I don't think it's wrong to charge less than the market rate, and while I'm more likely to do a project gratis than at 1/2 or 1/3 my rate, we've given people breaks before.
^Lift gave us a really reasonable rate based on the number of people, the amount of time spent, and the number of weeks that they'd be poking at stuff.
They were extremely easy to work with, and very fast about getting stuff to us and verifying when it was fixed, and I felt like we definitely got more than our money's worth.
I used to work as security consultant for a while and final cost depends on how thoroughly you want to go. There's never "i'm done" state. There's always something left to check.
1) app-agnostic bugs, such as XSS/CSRF and other blatant issues
2) app-specific bugs such as access bypass, goto-fails, other obvious bugs like eval(params[:serialized]), security measures switched off, mass assignment :)
3) complex bug chains. Usually I end up with account hijacking or similar severity bugs by chaining few of unrelated and barely exploitable bugs, such as redirects, cookie encodings etc. This requires at least a week (which is $12k if you work with me).
4) infinity. Checking some unpopular ruby gems project uses. Checking popular ones. Checking rails codebase to be sure methods don't have "magic" arguments. Nobody goes that far usually, because attackers will have to do 2-4x more work to get same bugs you may find.
TL;DR, for quick & budget auditing a website like npm $3,200 and one day of work is enough, for any medium sized website people should take 1+ week.
