
Show HN: SaaS Vulnerability Scanner for Small Businesses - LarkaUZ_
https://www.scannersec.com
======
GordonS
This is a _really_ crowded space - there are a _lot_ of small business
offering 'managed' vulnerability scans, so you will struggle to differentiate
yourself. Having said that, you seem to be a good job of differentiating
yourself in a rather bad way from those other businesses:

Most other businesses tell you what vulnerability scanner(s) they use.

Most other businesses offer a free scan (or partial scan), so you can get an
idea of what is provided.

Most other businesss show sample reports, so you can get an idea of what is
provided.

Dammit, _every_ other business tells you _something_ useful about the product
being offered, and absolutely tell you _who_ is offering it.

I'm sorry if this is all negative, but... come on?! This honestly looks like
some chancer has thrown this up in their lunch break. There isn't even
anything to tell me who 'ScannerSec' is - I seriously can't even tell if this
is some kind of scam to extort HN users.

~~~
gremlinsinc
Wanna make more money? -- Drastically lower the cost, or even have a freemium
model maybe the 1 post per month plan. Then have solutions for FIXING the
vulnerabilities--esp for low-tech users like Wordpress users who don't know
how to fix things themselves. -- Also having plugins for wordpress, etc...
that scans from inside out could help as well.

~~~
LarkaUZ_
These are some really good suggestions... Thanks for your help.

------
jvehent
I doubt you rewrote a vulnerability scanner from scratch, since it takes years
and a lot of efforts to do, so why don't you tell us a bit more about the
technology behind it. Does it use ZAP? Arachni? W3AF? OpenVAS? SQLMap? All of
them?

Also, I'd be careful about such claims:

> Our scans are secure and non-intrusive.

Because you never know what will happen in the backend when you hit that "GET
/article/delete/1" endpoint while spidering the home page. Tons of poorly
coded webapps have that kind of trap, and you should scan staging/test
instances whenever possible to avoid dropping a production DB whenever you hit
one of those.

~~~
LarkaUZ_
Hi. Indeed we did not write a vulnerability scanner from scratch. We run a few
major vulnerability scanners like OpenVAS on the target website, configured in
a way to be non-intrusive. We do not communicate on the exact tools that we
launch and how we compile the results since this is our secret sauce ...

Fair point about the "GET /article/delete/1" issue, unfortunately a lot of SMB
do not have staging/test instances ...

~~~
jvehent
Your secret sauce is purely based on the hard work of open source developers.
Pardon me if I don't support your obscurantism.

~~~
newsat13
Granted OP is obscure but this is a very harsh assessment. Such comments can
be hurtful to hear when you launch. Why not give some positive and
constructive feedback?

------
dguido
Literally no information to judge whether this service is competent or not...

As a security expert myself, I mostly have recommended tinfoilsecurity.com and
tenable.io to the small businesses I consult with. In cases where you want
more than simple web application scanning, CyberGRX.com tries to accumulate a
more holistic picture of the security practices of your company.

~~~
ceejayoz
Hell, skip competent for a moment. There's no information to judge whether
this service isn't just a way to gain access to website backends in the guise
of scanning.

~~~
boie0025
I'd say there's not anything to even judge if it's not just a way to charge a
credit card. Picking a plan asks for a web address (which isn't validated in
any way, you can type a single letter), and then it shows what looks like a
Stripe CC popup (which probably signs a user up for recurring billing on
stripe). Nothing about a login, email or password (I can ASSUME that's after a
card is entered, but who knows..). I would never use something like this in
its current state.

------
peterwwillis
Initial thoughts:

1\. First heading text past the title bar has a typo. Yes, this matters. If
you can't even get a second look at your website copy, did you get a second
look at your product? 2. The domain was registered a month ago. 3. Like others
mentioned, absolutely zero product information, and no information about
whether they support the many industry standards that small businesses might
actually need a security scanner for (are they wasting their money?). 4. The
root domain only hosts http and not https, and the www site hosts both http
and https, and none seem to advertise HTTP security headers. Considering this
is a security product that takes your money: wtf? 5. The IPs used to host the
site do not have reverse records. Again, wtf. 6. Leaks version and OS
information of their DigitalOcean droplet.

Honestly, just paying a kid in high school the $20 to run Nmap and a webapp
vuln scanner on your site might be a better investment.

------
sboselli
No info whatsoever.

What kind of scans are you running? What kind of data can I expect from the
report? Is it port scanning or CVE based stuff?

~~~
LarkaUZ_
Hi. I'm the founder of ScannerSec. We run Vunlerabilty scanners :
Infrastructure and Web applications. It starts with a port scan, and then it
tries to detect vunlerabilities ( CVE and others). It is like as a simplified
version of Nessus or OpenVAS.

~~~
GordonS
> It is like as a simplified version of Nessus or OpenVAS

Do you mean you've written your own scanners (a rather large task), or that
you're using Nessus and OpenVAS and your service provides simplified access to
these?

~~~
LarkaUZ_
We aggregate data from multiple web vulnerability scanners, and provide a
unified and simplified report about the vulnerabilities detected.

------
kapauldo
Its not clear where all the negativity is coming from. This is a great idea.
Open source tools are hard to work with but powerful. If you can bottle it and
automate it and sell it, good for you. It's absolutley worth something, not
sure that's 20 bucks a month but i would keep tweaking til you get there. Good
luck.

------
kc10
IMO, just saying _vulnerability scanner_ is not enough. A sample report would
help understand the service better.

~~~
LarkaUZ_
Thanks for the suggestion. We will try to fix that soon...

------
epalm
Front page <h1> typo: "Find out if your website is protected again Hackers"

You probably mean "against".

~~~
LarkaUZ_
Thanks! I fixed it.

------
newsat13
I would love to see a sample vulnerability report.

Also, why is this flagged?

~~~
GordonS
I assume it got flagged because it looks scammy at best. This is a one-page
site with practically no information offered about the service supposedly
being provided, no information at all about the company behind it, and the
signup button takes you straight to a card payment popup. Honestly, I find it
difficult to believe this is a real attempt at a launch.

It's quite common when someone posts something to 'Show HN' for some of the
more affluent member of this community to sign up just to see if it works;
perhaps the flaggers feel this website has been set up to take advantage of
this.

~~~
LarkaUZ_
I assure you this is a real launch... This is indeed a one page website, but
the service we provide requires only that for the moment. Once the user
subscribe, he will start receiving the scan reports on his mail box...

~~~
GordonS
Try to look at it from a user's perspective: no information about product or
provider, just a few words and a card payment form. Have you, or would you,
ever provide your card details in such circumstances?

~~~
LarkaUZ_
I understand your concern. And clearly we should have communicated better, but
having the link flagged while it is on the HN homepage for our launch seems a
little bit excessive.

