Penetration Testing on a Budget 👮💸

I don't think it's worth it unless you're in a highly regulated industry.

With penetration testing, you get what you pay for. Paying a few hundred on Upwork will get you some basic vulnerability scans from someone doing them at scale. A deeper penetration test costs thousands of dollars.

Using Heroku does not mean your app is secure. It mitigates vulnerabilities associated with the server, but not with the app itself.

You probably don't want a penetration test, but a third party vulnerability assessment. Your strategy should not be to "do nothing", but you should consider a reasonable effort that is commensurate with your scale and the risk (or lack of) that using your app presents to your customers. At your scale, you might want to look at something like Detectify. I have no affiliation, but I think it's a worthy service for entry-level vulnerability assessment.

You have bunch of open source scripts and frameworks to test it alone or with a tech-friendly friend, some learning curve is needed but it can save you thousands of dollars. Professional pentest assestment is between 10k-25k and more, depends is it black box or white box access (allowed access into internal structure or blackhat approach using only external information to see what can be hacked), also size of network and x other factors.

For example, if you are familiar with linux (kali, arcx, even ubuntu) you have tools and scripts for automatic recon, scanning and other intelligence details that helps hackers to gain further access and exploit whatever they can. Search for Legion (secforce product), Metasploit, Jok3r and Sn1per, those scripts combine tens and even hundreds of other scripts used for recon, scanning, finding hackable elements, database attacks, bruteforcing, basically testing and exploitation of all kinds.

For windows I know for OWASP software (lot of false positives but still useful) and owasp's Nettacker, but basically if you install python on windows machine you can use many of tools that works on linux. Also try to find if someone in bigger companies have a license for Acunetix, they are doing decent job in automated tests and maybe some of them is willing to make one scan for you.

After you do everything you can to fix the issues alone, you can use your 2k for crowd-sourced pentesting platform like hackerone.com or bugcrowd and give bounties for their findings, check the sites to see the rewards for specific issues.

Not your intent, but good to hear that there could at least be a market for this sort of thing. The past couple of days I've been trying to figure out if there would even be demand for pentesting and cybersecurity services from small businesses and startups.

Depending on how far you are on the journey of your product, this is something you could delay. If you are just starting and still trying to find the product market fit, I wouldn't worry about it yet, focus on getting the product off the ground. Later on you can hire external professional penetration testing companies since there is a lot to consider.

I just poted about looking for this type of service.

I checked out the Detectify website -- I want nothing to do with 'crowdsourced' for my pentesting.

Assuming that Heroku is secure therefore your app is secure is the wrong assumption. Heroku is only going to protect your codebase, you need to employ proper security practices throughout your application.