Ask HN: website security app (sanity check)

7 pointsbandhunt15y ago13 comments

Hey HNers, I've received less than excited responses from friends about what I'm building and need a sanity check from you guys.

I've been working on some automated security testing software that would crawl and scan sites for open web exploites (sql inject, xss, xsrf etc..).

Initially I'd offer free scans to HNer sites and the bigger goal is to create a paid service.

  Would you use this service?
  Would you pay for it?
  Do you have your security covered (ie don't need a 3rd party audit)?
  Any tools that you currently use that are good enough for your needs?

Thanks guys!

Ask HN: website security app (sanity check)

7 pointsbandhunt15y ago13 comments

Hey HNers, I've received less than excited responses from friends about what I'm building and need a sanity check from you guys.

I've been working on some automated security testing software that would crawl and scan sites for open web exploites (sql inject, xss, xsrf etc..).

Initially I'd offer free scans to HNer sites and the bigger goal is to create a paid service.

  Would you use this service?
  Would you pay for it?
  Do you have your security covered (ie don't need a 3rd party audit)?
  Any tools that you currently use that are good enough for your needs?

Thanks guys!

13 comments

13 comments · 6 top-level

m0nastic15y ago· 2 in thread

Just out of curiosity, how will you verify that your clients actually own the site they want scanned?

And what sort of contract will you have in place for outages caused by the scanning, liability limitations, etc?

I absolutely think you could flourish with a service like this, but there are some kinks you'll have to work out.

aquark15y ago

A simple validation of ownership would be something like google uses for the google apps for domains: generate a unique id and ask them to create a file of that name on the domain. As a secondary check ask for something to be created in the dns records for the domain.

bandhuntOP15y ago

That's the plan. Thanks!

jumby15y ago· 2 in thread

isn't this what Nessus does?

also, i think there are lots of players in this area.

bandhuntOP15y ago

They don't go as in-depth at the application level.

Do you use any of other the other services?

jumby15y ago

aye, i use trustkeeper. it's a steaming POS.

tsycho15y ago· 1 in thread

My site isn't up yet, but I would use this service, and be willing to pay for it as well.

If you are an expert in this domain, maybe you could have a cheap automated testing suite, and then offer a consulting service to help fix the security issues.

bandhuntOP15y ago

Nice! Yeah, consulting stuff makes sense as an add-on down the road.

Email me (see my profile) and I'll give you free scans when I launch if you'd like.

aquark15y ago· 1 in thread

Is this looking just through a known list of exploits for popular packages/libraries, or is it doing something find holes in my application code?

I'd certainly be interested in the later, and even just hearing how you go about that.

bandhuntOP15y ago

Cool. More on the application code side.

Email me (see my profile) and I'll give you free scans when I launch if you'd like.

gbrindisi15y ago· 1 in thread

Consider that a lot of web sec scanners exists and are free (like Skipfish).

bandhuntOP15y ago

That was one of my main concerns.

I'm hoping to provide a more comprehensive service that is also much easier to use and therefore add enough value to make it a pay service.

sundar22in15y ago

Main problem with security is trust.

How can one trust the security app which is offered as a service and believe that it will not do anything malicious? It is like storing my bank password and all credit card details in another thirdparty site. As a user I do not trust any thirdparty service which offers to store passwords. Similarly as a developer I do not trust any third party service over web for websecurity testing.

j / k navigate · click thread line to collapse

13 comments

13 comments · 6 top-level

m0nastic15y ago· 2 in thread

Just out of curiosity, how will you verify that your clients actually own the site they want scanned?

And what sort of contract will you have in place for outages caused by the scanning, liability limitations, etc?

I absolutely think you could flourish with a service like this, but there are some kinks you'll have to work out.

aquark15y ago

bandhuntOP15y ago

That's the plan. Thanks!

jumby15y ago· 2 in thread

isn't this what Nessus does?

also, i think there are lots of players in this area.

bandhuntOP15y ago

They don't go as in-depth at the application level.

Do you use any of other the other services?

jumby15y ago

aye, i use trustkeeper. it's a steaming POS.

tsycho15y ago· 1 in thread

My site isn't up yet, but I would use this service, and be willing to pay for it as well.

If you are an expert in this domain, maybe you could have a cheap automated testing suite, and then offer a consulting service to help fix the security issues.

bandhuntOP15y ago

Nice! Yeah, consulting stuff makes sense as an add-on down the road.

Email me (see my profile) and I'll give you free scans when I launch if you'd like.

aquark15y ago· 1 in thread

Is this looking just through a known list of exploits for popular packages/libraries, or is it doing something find holes in my application code?

I'd certainly be interested in the later, and even just hearing how you go about that.

bandhuntOP15y ago

Cool. More on the application code side.

Email me (see my profile) and I'll give you free scans when I launch if you'd like.

gbrindisi15y ago· 1 in thread

Consider that a lot of web sec scanners exists and are free (like Skipfish).

bandhuntOP15y ago

That was one of my main concerns.

I'm hoping to provide a more comprehensive service that is also much easier to use and therefore add enough value to make it a pay service.

sundar22in15y ago

Main problem with security is trust.

j / k navigate · click thread line to collapse