We are in the pre-launch phase for an application we built on Meteor. We love Meteor!
During the development process, we followed a number of security guideline including those outlined here http://security-resources.meteor.com and the presentations/updates from Emily Stark.
We made extensive use of these 2 packages:
We conducted an internal security review and found a couple of issues. The most notable was that our OAuth tokens were not encrypted in the database. To rectify that problem we implemented this package https://atmospherejs.com/meteor/oauth-encryption.
We are now ready for some external individual/company to access and help us improve the security of our application.
I’m not clear on the process we should follow or who would be best qualified to do this? Any suggestions on how we can approach getting external help.