

AppCanary (YC S15) Helps Your Company Stay Safe from Security Vulnerabilities - loyalelectron
http://blog.ycombinator.com/every-day-theres-a-new-zero-day-appcanary-yc-s15-makes-sure-your-company-is-safe

======
stephendicato
Knowing if your application's dependencies have released security patches
isn't just valuable, it's necessary. It's very painful and time consuming to
monitor email lists, websites, RSS feeds, and GitHub issues for relevant
information.

In my opinion, providing that information in a timely and actionable way, such
as telling me when and how to update, is a useful service. When looking for a
solution for Python applications I found
[https://requires.io/](https://requires.io/). It's a clever implementation
since it reads a requirements file and is therefore easy to "deploy" and get
immediately value from.

Your marketing leans towards 0-day protection. The challenge is doing anything
_actionable_ with knowledge of a new 0-day. Unless there is a patch available,
which implies the discloser worked with the project/vendor, or a known
workaround in lieu of official patch, how is your service doing to help?

What's your plan for supporting more operating systems, languages, and
ecosystems? Are you curating information about security disclosures and
software releases, or simply checking if newer versions of packages are
available?

------
phillmv
Hello friends,

I'm one of the founders. Zero-days are exciting but we're especially good
about the things that don't stay on the top of HN all day. Silent killers as
it were.

Today we support Ruby and Ubuntu but we're expanding quickly! And if you're
interested but don't have the time to try us out today, we also made
[http://isitvulnerable.com/](http://isitvulnerable.com/) to demo what we can
do.

Cheers,

~~~
iheartmemcache
Can you talk about the internals of your system without giving away your
secret sauce? I.e., are you doing anything more than pulling CVE
notifications, comparing the vuln against what the server is running, and if
there's an intersection, inform the end user?

(Not to belittle your product -- patio11 made a living, and more importantly a
brand, off of a Bingo Card app. Your product certainly offers value, and its
particularly underpriced if you ask me. Still, I'm genuinely curious if you're
doing any heuristic analyses, fuzzing, or other server-specific things to
determine whether or not you're vulnerable to said exploit.)

------
dang
We like launches and we like AppCanary, but after
[https://news.ycombinator.com/item?id=9935458](https://news.ycombinator.com/item?id=9935458)
and
[https://news.ycombinator.com/item?id=10022717](https://news.ycombinator.com/item?id=10022717)
I think this has to count as a dupe.

