From a friend working at a big NGO
"Dear Lazyweb; we'd like to hire a pentest company/team/freelancer to look at how secure our systems are. I'm looking for personal recommendations of companies/individuals you've used for this sort of work who did a great job.
(Stack is mostly Ruby (Rails+Padrino) on Heroku using RDS and SES, if that matters)"