

Show HN: CloudSploit – Continuous AWS Security Scanning - cddotdotslash
https://cloudsploit.com/?ref=hackernews

======
kevin
It’s great that you link to resources for entering access and secret keys
without giving keys to the kingdom, but I’d love it if you’re were more
explicit.

    
    
      Hey! We’ll need read-only access to get started. 
      If you don’t know how, here’s some guides to help you.
    

A service like this is built on trust and that kind of direct transparency and
guidance will help build that into your brand right from the beginning. Even
if it’s at the cost of conversion.

There's a lot of text on that homepage. The most important reason you need to
stick in my head is why it's scary NOT to do this regularly and (ideally)
automatically. It's too hard to find the info that tells me I can't do this
myself...that I need help.

~~~
cddotdotslash
Hi Kevin,

Thanks so much for the feedback! You're absolutely right that this kind of
service requires a large amount of trust upfront. One of the ways I'm trying
to do that is by being completely transparent about how the data is being
used, what is being scanned, etc. I guess one downside of that is too much
text. I'll definitely try to slim down the home page and move some of it to
different pages a altogether.

Thanks again for the feedback!

~~~
clebio
Well, one way to do it would be link to your open-sourced code on github (or
wherever). Of course, that makes commercializing the product a bit tougher.
One general approach is value-added or "freemium" services, though: the nice
UI dashboard is not free.

~~~
cddotdotslash
Definitely agree. There is a link to the GitHub on the homepage (under the
sign up section "Looking for the open-source repository? Here's the GitHub
link.") But if anyone is curious, here is the direct link:
[https://github.com/cloudsploit/scans](https://github.com/cloudsploit/scans)

~~~
clebio
Excellent reply, sorry I'm so blind. But, maybe this is also just the same
question of too much text -- tighten up the copy. At any rate, my apologies
for missing it the first time through.

~~~
cddotdotslash
No worries! You're certainly not the first person to mention too much text.
It's something I'll definitely be fixing soon. I have zero UI/UX experience
(all my work is backend) so this has been a learning project for me. Thanks
again for taking time to check it out!

------
cddotdotslash
Founder here :) Soliciting any and all feedback! We're still in beta and
getting lots of helpful feedback from our users. If you would like an invite,
either add your email on the pre-registration page, or email me at
matt@cloudsploit.com and I'll get one to you ASAP. Thanks!

------
tchock23
Curious what your competitive advantage is over something like Cloudcheckr?

~~~
cddotdotslash
One of the things I'm trying to do with CloudSploit is improve security for
AWS users overall, without locking out users who can't afford expensive plans.
For that reason, I've made CloudSploit free to use, and even open source so
that anyone can download and run it. My hope is that by engaging the
community, they will contribute back, making the service better for everyone.
I've actually had a number of users email me and submit pull requests for
updates or new scan types.

Now "being open source and low cost" isn't really a direct competitive
advantage or a feature. To be completely transparent, CloudSploit is something
I just started a few weeks ago, so CloudCheckr is most likely more feature
complete at the moment. However, I'm trying to add more features ASAP that
will focus on training users to use AWS security features correctly, receive
alerts when specific conditions are triggered, and really dive into each
resource within the account.

