

Ask HN: website security app (sanity check) - bandhunt

Hey HNers, I've received less than excited responses from friends about what I'm building and need a sanity check from you guys.<p>I've been working on some automated security testing software that would crawl and scan sites for open web exploites (sql inject, xss, xsrf etc..).<p>Initially I'd offer free scans to HNer sites and the bigger goal is to create a paid service.<p><pre><code>  Would you use this service?
  Would you pay for it?
  Do you have your security covered (ie don't need a 3rd party audit)?
  Any tools that you currently use that are good enough for your needs?
</code></pre>
Thanks guys!
======
sundar22in
Main problem with security is trust.

How can one trust the security app which is offered as a service and believe
that it will not do anything malicious? It is like storing my bank password
and all credit card details in another thirdparty site. As a user I do not
trust any thirdparty service which offers to store passwords. Similarly as a
developer I do not trust any third party service over web for websecurity
testing.

------
m0nastic
Just out of curiosity, how will you verify that your clients actually own the
site they want scanned?

And what sort of contract will you have in place for outages caused by the
scanning, liability limitations, etc?

I absolutely think you could flourish with a service like this, but there are
some kinks you'll have to work out.

~~~
aquark
A simple validation of ownership would be something like google uses for the
google apps for domains: generate a unique id and ask them to create a file of
that name on the domain. As a secondary check ask for something to be created
in the dns records for the domain.

~~~
bandhunt
That's the plan. Thanks!

------
tsycho
My site isn't up yet, but I would use this service, and be willing to pay for
it as well.

If you are an expert in this domain, maybe you could have a cheap automated
testing suite, and then offer a consulting service to help fix the security
issues.

~~~
bandhunt
Nice! Yeah, consulting stuff makes sense as an add-on down the road.

Email me (see my profile) and I'll give you free scans when I launch if you'd
like.

------
aquark
Is this looking just through a known list of exploits for popular
packages/libraries, or is it doing something find holes in my application
code?

I'd certainly be interested in the later, and even just hearing how you go
about that.

~~~
bandhunt
Cool. More on the application code side.

Email me (see my profile) and I'll give you free scans when I launch if you'd
like.

------
gbrindisi
Consider that a lot of web sec scanners exists and are free (like Skipfish).

~~~
bandhunt
That was one of my main concerns.

I'm hoping to provide a more comprehensive service that is also much easier to
use and therefore add enough value to make it a pay service.

------
jumby
isn't this what Nessus does?

also, i think there are lots of players in this area.

~~~
bandhunt
They don't go as in-depth at the application level.

Do you use any of other the other services?

~~~
jumby
aye, i use trustkeeper. it's a steaming POS.

