Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: website security app (sanity check)
7 points by bandhunt on Oct 28, 2010 | hide | past | favorite | 13 comments
Hey HNers, I've received less than excited responses from friends about what I'm building and need a sanity check from you guys.

I've been working on some automated security testing software that would crawl and scan sites for open web exploites (sql inject, xss, xsrf etc..).

Initially I'd offer free scans to HNer sites and the bigger goal is to create a paid service.

  Would you use this service?
  Would you pay for it?
  Do you have your security covered (ie don't need a 3rd party audit)?
  Any tools that you currently use that are good enough for your needs?
Thanks guys!


Main problem with security is trust.

How can one trust the security app which is offered as a service and believe that it will not do anything malicious? It is like storing my bank password and all credit card details in another thirdparty site. As a user I do not trust any thirdparty service which offers to store passwords. Similarly as a developer I do not trust any third party service over web for websecurity testing.


Just out of curiosity, how will you verify that your clients actually own the site they want scanned?

And what sort of contract will you have in place for outages caused by the scanning, liability limitations, etc?

I absolutely think you could flourish with a service like this, but there are some kinks you'll have to work out.


A simple validation of ownership would be something like google uses for the google apps for domains: generate a unique id and ask them to create a file of that name on the domain. As a secondary check ask for something to be created in the dns records for the domain.


That's the plan. Thanks!


My site isn't up yet, but I would use this service, and be willing to pay for it as well.

If you are an expert in this domain, maybe you could have a cheap automated testing suite, and then offer a consulting service to help fix the security issues.


Nice! Yeah, consulting stuff makes sense as an add-on down the road.

Email me (see my profile) and I'll give you free scans when I launch if you'd like.


Is this looking just through a known list of exploits for popular packages/libraries, or is it doing something find holes in my application code?

I'd certainly be interested in the later, and even just hearing how you go about that.


Cool. More on the application code side.

Email me (see my profile) and I'll give you free scans when I launch if you'd like.


Consider that a lot of web sec scanners exists and are free (like Skipfish).


That was one of my main concerns.

I'm hoping to provide a more comprehensive service that is also much easier to use and therefore add enough value to make it a pay service.


isn't this what Nessus does?

also, i think there are lots of players in this area.


They don't go as in-depth at the application level.

Do you use any of other the other services?


aye, i use trustkeeper. it's a steaming POS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: