This is a really crowded space - there are a lot of small business offering 'managed' vulnerability scans, so you will struggle to differentiate yourself. Having said that, you seem to be a good job of differentiating yourself in a rather bad way from those other businesses:
Most other businesses tell you what vulnerability scanner(s) they use.
Most other businesses offer a free scan (or partial scan), so you can get an idea of what is provided.
Most other businesss show sample reports, so you can get an idea of what is provided.
Dammit, every other business tells you something useful about the product being offered, and absolutely tell you who is offering it.
I'm sorry if this is all negative, but... come on?! This honestly looks like some chancer has thrown this up in their lunch break. There isn't even anything to tell me who 'ScannerSec' is - I seriously can't even tell if this is some kind of scam to extort HN users.
> Most other businesses offer a free scan (or partial scan), so you can get an idea of what is provided.
>Most other businesss show sample reports, so you can get an idea of what is provided.
This is clearly something that we will add. Thanks for the suggestions.
As for the rest of your comment, you raise valid criticism from a technical point a view. This is our launch and we did it on hacker news to collect feedbacks. However the website is designed to target small business or mom-and-pop shops that do not have the technical shops to understand the nitty-gritty security details.
We will try to find a way to give more information about how we do our scans whithout overwhelming a non-techincal reader.
Wanna make more money? -- Drastically lower the cost, or even have a freemium model maybe the 1 post per month plan. Then have solutions for FIXING the vulnerabilities--esp for low-tech users like Wordpress users who don't know how to fix things themselves. -- Also having plugins for wordpress, etc... that scans from inside out could help as well.
>there are a lot of small business offering 'managed' vulnerability scans
Which managed vulnerability scanners would HNer recommend?
When I Google for them I can't tell who's good at security and who's simply good at SEO and snake-oil-selling. I would love to hear what HNers have used/would recommend.
I doubt you rewrote a vulnerability scanner from scratch, since it takes years and a lot of efforts to do, so why don't you tell us a bit more about the technology behind it. Does it use ZAP? Arachni? W3AF? OpenVAS? SQLMap? All of them?
Also, I'd be careful about such claims:
> Our scans are secure and non-intrusive.
Because you never know what will happen in the backend when you hit that "GET /article/delete/1" endpoint while spidering the home page. Tons of poorly coded webapps have that kind of trap, and you should scan staging/test instances whenever possible to avoid dropping a production DB whenever you hit one of those.
Hi. Indeed we did not write a vulnerability scanner from scratch. We run a few major vulnerability scanners like OpenVAS on the target website, configured in a way to be non-intrusive. We do not communicate on the exact tools that we launch and how we compile the results since this is our secret sauce ...
Fair point about the "GET /article/delete/1" issue, unfortunately a lot of SMB do not have staging/test instances ...
Honestly, you're not communicating much. Serious question: why would anyone give you their card details for a complete unknown? Your site doesn't provide free scans, sample reports (or even partial ones), or even say anything about who 'ScannerSec' is.
It would be relatively straightforward to announce the scanners you use without disclosing your analysis/correlation tools (which presumably is where you're looking to add value here?)
I'd echo the other comments about being very careful with language like "non-intrusive", I've taken systems down with a single ' character in a login box before or by carrying out basic port scans.
Now obviously you could say that a system that fragile has bigger problems, but customers tend not to feel that way if something bad has happened to their site on the day you're scanning them...
Granted OP is obscure but this is a very harsh assessment. Such comments can be hurtful to hear when you launch. Why not give some positive and constructive feedback?
To be fair, if a scanning tool running anonymously can muck up your webapp by hitting "GET /article/delete/1" then they did successfully find a problem with your SaaS app.
You're missing the "non-intrusive" point that he was bringing up. While they did find a vulnerability, they went beyond the scope the had agreed to, which is the issue he's describing.
Literally no information to judge whether this service is competent or not...
As a security expert myself, I mostly have recommended tinfoilsecurity.com and tenable.io to the small businesses I consult with. In cases where you want more than simple web application scanning, CyberGRX.com tries to accumulate a more holistic picture of the security practices of your company.
Hell, skip competent for a moment. There's no information to judge whether this service isn't just a way to gain access to website backends in the guise of scanning.
I'd say there's not anything to even judge if it's not just a way to charge a credit card. Picking a plan asks for a web address (which isn't validated in any way, you can type a single letter), and then it shows what looks like a Stripe CC popup (which probably signs a user up for recurring billing on stripe). Nothing about a login, email or password (I can ASSUME that's after a card is entered, but who knows..). I would never use something like this in its current state.
1. First heading text past the title bar has a typo. Yes, this matters. If you can't even get a second look at your website copy, did you get a second look at your product? 2. The domain was registered a month ago. 3. Like others mentioned, absolutely zero product information, and no information about whether they support the many industry standards that small businesses might actually need a security scanner for (are they wasting their money?). 4. The root domain only hosts http and not https, and the www site hosts both http and https, and none seem to advertise HTTP security headers. Considering this is a security product that takes your money: wtf? 5. The IPs used to host the site do not have reverse records. Again, wtf. 6. Leaks version and OS information of their DigitalOcean droplet.
Honestly, just paying a kid in high school the $20 to run Nmap and a webapp vuln scanner on your site might be a better investment.
Hi. I'm the founder of ScannerSec. We run Vunlerabilty scanners : Infrastructure and Web applications. It starts with a port scan, and then it tries to detect vunlerabilities ( CVE and others). It is like as a simplified version of Nessus or OpenVAS.
> It is like as a simplified version of Nessus or OpenVAS
Do you mean you've written your own scanners (a rather large task), or that you're using Nessus and OpenVAS and your service provides simplified access to these?
Its not clear where all the negativity is coming from. This is a great idea. Open source tools are hard to work with but powerful. If you can bottle it and automate it and sell it, good for you. It's absolutley worth something, not sure that's 20 bucks a month but i would keep tweaking til you get there. Good luck.
I assume it got flagged because it looks scammy at best. This is a one-page site with practically no information offered about the service supposedly being provided, no information at all about the company behind it, and the signup button takes you straight to a card payment popup. Honestly, I find it difficult to believe this is a real attempt at a launch.
It's quite common when someone posts something to 'Show HN' for some of the more affluent member of this community to sign up just to see if it works; perhaps the flaggers feel this website has been set up to take advantage of this.
I assure you this is a real launch... This is indeed a one page website, but the service we provide requires only that for the moment.
Once the user subscribe, he will start receiving the scan reports on his mail box...
Try to look at it from a user's perspective: no information about product or provider, just a few words and a card payment form. Have you, or would you, ever provide your card details in such circumstances?
I understand your concern. And clearly we should have communicated better, but having the link flagged while it is on the HN homepage for our launch seems a little bit excessive.
It is not. Users subscribe and they receive a mail informing them that the Scan will be launched shortly. Once the scan is over the user receive the scan report on his mailbox.
This is the service we provide...
Well this is a paid service... This is not a sign up page onlt.
If we follow your logic any service that require card details can't be submitted to HN.
Most other businesses tell you what vulnerability scanner(s) they use.
Most other businesses offer a free scan (or partial scan), so you can get an idea of what is provided.
Most other businesss show sample reports, so you can get an idea of what is provided.
Dammit, every other business tells you something useful about the product being offered, and absolutely tell you who is offering it.
I'm sorry if this is all negative, but... come on?! This honestly looks like some chancer has thrown this up in their lunch break. There isn't even anything to tell me who 'ScannerSec' is - I seriously can't even tell if this is some kind of scam to extort HN users.