

Exploit Prevention as a Service for Rails - tkellogg
https://hakiri.io/blog/grand-opening

======
jph
Take my money! :) Your service is super-useful for app security. I'm signing
up right now. Great idea.

My two cents for you: you're far enough along that you can start seeding your
market as fast as possible.

* How about going to meetups at app dev companies such as Pivotal, Carbon 5, ThoughtWorks, etc.?

* How about a free version for open source projects, or students, or nonprofits?

Try to make the signup faster and easier.

* How about an item on the homepage saying "Upload a Gemfile.lock to see if it's secure"? I would personally do this first because it's fast, easy, and needs no setup.

* How about an item on the homepage asking "What's your GitHub username?" then skim for vulnerabilities? I would personally do this because I write many open source gems.

~~~
vasinov
Great feedback!

A lot of these things are on the roadmap, including the free option for OSS,
pitching at larger dev shops, and Gemfile.lock scanning without signing up.

Thank you.

------
borski
This is a really useful service for what we call "version tracking," and it
looks like it's running Brakeman for you too. With that said, it won't find
vulnerabilities you code in yourself - only publicly released vulns that Ruby,
etc. have issued patches for. A tool like
[https://www.tinfoilsecurity.com](https://www.tinfoilsecurity.com) can help
you find more vulnerabilities that either a) haven't been found yet publicly
or b) you've written in yourself. (Disclosure: I'm the cofounder)

~~~
InAnEmergency
Definitely running Brakeman, as are
[https://codeclimate.com/](https://codeclimate.com/),
[https://www.pullreview.com](https://www.pullreview.com) and [http://rails-
brakeman.com/](http://rails-brakeman.com/).

~~~
borski
Yup! Nothing wrong with that - just wanted to make sure it was clear what was
going on. I run brakeman fairly often on my own for my projects. :)

------
revisionzero
Love the idea. An upcoming project, that I am a part of, will likely be built
on Rails, so this has been bookmarked!

~~~
vasinov
Let me know if you need any help setting up :)

------
homakov
Automated security audits are useless until we have some fancy AI

~~~
jerf
Testing can only prove the presence of bugs, or in this case, exploits... but
it _can_ prove the presence of exploits, and that is valuable data. (At least,
it can prove it reasonably well; false positives are a problem, but, well,
that's life.) Absence of exploits may not prove you're safe, but presence
certainly proves you aren't, and if your friendly pet automated scanner can
find it, so can everybody else's automated scanner.

I'd be comfortable saying "this can give you a false sense of security";
_useless_ is far too strong.

~~~
homakov
You're mostly right, but along with working scanner people should hire an
auditor to fix real bugs. Or it is just useless, spending a lot of money
annually for scanner forgetting about real vulns.

