
GitHub acquires AppCanary - marcc
https://blog.appcanary.com/2018/goodbye.html
======
altharaz
I met Max just before his YC interview. The fun fact there was that we both
have the same firstname, came from the same region (Europe), and work on the
same product family (Vulnerability Management).

AppCanary went to YC, and Cyberwatch went back to France.

However, for us that was for the best! Most of our customers indeed really
liked the fact that we are a 100% French company.

We are now profitable and provide a complete Server Vulnerability Management +
Patch Management solution.

Different paths to glory, but the world is small and I'm sure we'll meet again
someday :)

=> I wish you the best at GitHub!

~~~
ontoillogical
I remember meeting you that day, it was a very surreal start to our summer in
Silicon Valley.

I'm really happy to hear you're doing well in the space!

Building a profitable company is really hard, I should know :)

------
phantom_oracle
For anybody that needs a replacement that is OSS and can monitor dependencies
for updates, there is this:

[https://libraries.io/](https://libraries.io/)

Disclosure: I have no interests (direct/indirect) of any sort in libraries.io

------
ericcholis
I really found AppCanary useful for linux packages. They had nice rollup
emails for your servers' packages installed with fixes/patches and those with
public vulnerabilities without patches. Is there a similar service that does
that on the cheap? I'd rather not run/install my own.

~~~
igoraj
For vulns related to linux packages you are welcome to try
[https://tactycal.com](https://tactycal.com)

------
Artemis2
Launch feels like just yesterday!
[https://news.ycombinator.com/item?id=9935458](https://news.ycombinator.com/item?id=9935458)

~~~
danso
Top comment in that thread is an expression of hesitation over the pricing.
Looks like they kept largely the same scheme over their lifetime, except by
replacing the next step up from the $99 tier -- $299 for 50 servers -- with a
$499 for 75 servers:

[http://web.archive.org/web/20151205162125/https://appcanary....](http://web.archive.org/web/20151205162125/https://appcanary.com/)

[http://web.archive.org/web/20171026173951/https://appcanary....](http://web.archive.org/web/20171026173951/https://appcanary.com/)

I like the idea of smartly compiling and packaging vulnerabilities and
building a business off of that. But was the pricing competitive to what a
company devops employee would typically spend in monitoring this? It looks
like they provided monitoring and reports with these plans but not anything
else on top of sending the alerts.

~~~
lbotos
I assume that's why they were acquired. At this point, they were a little bit
more of a "feature" than a product. I suspect this tech is driving vuln alerts
on repos:

[https://github.com/blog/2470-introducing-security-alerts-
on-...](https://github.com/blog/2470-introducing-security-alerts-on-github)

~~~
dewey
> There, we’ll be working on expanding GitHub’s security tooling, like their
> recently announced vulnerable dependency alerting.

You don't have to suspect, it's in the article :)

~~~
phillmv
I would hate to take credit for work I didn't do, so I would just like to
quickly set the record straight:

We had nothing to do with that feature! We legit joined just now. But it
certainly demonstrated a certain synergy between our skillset and GitHub's
feature roadmap ;).

------
greysteil
Congratulations Phill and Max! Really excited to see what you do with GitHub's
security alerting. Seeing GitHub take ownership of the space feels like a
great development.

------
andkon
Congrats Phill and Max! Glad to see some Toronto exits.

~~~
pc86
Are acquihires successful exits?

~~~
seattle_spring
If the equity ends up being worth > $0, I would say "yes."

Way better than just shutting the company down and being left with nothing.

~~~
ryandrake
Even if the equity ends up being worth $0, I'd still say it's a successful
exit, since you're ending up working for a great company that you might
otherwise not have been able to get in to. Think of it as an alternative to
the standard "whiteboard hazing, recruiter ghosting" interview track.

EDIT: To clarify I'm talking about acquihires in general, not specifically
this one, the details of which I'm obviously not aware.

~~~
sokoloff
I'm not sure that 900 days of labor resulting in an equity value of $0 and a
job offer is worth skipping the whiteboard and other recruiting nonsense. (I
have no idea if that's what did or didn't happen here, of course, and suspect
it was better than that, but that scenario is not one of "success", IMO.)

------
gravis
Good luck Phill and Max for your new adventure! And thanks for having
mentioned [https://gemnasium.com](https://gemnasium.com) as an alternative.

------
sytse
The trend is integrating security into the DevOps lifecycle (DevSecOps). At
GitLab we already do SAST and are working on SAST for containers with Claire
and DAST. I looked today but couldn't find a good IAST solution that was open
source.

~~~
sytse
[https://github.com/baidu/openrasp/blob/master/README.md](https://github.com/baidu/openrasp/blob/master/README.md)
Looks like a good rasp solution and with dast that gives IAST. But it is Java
only.

