I'm sorry but you can't fix 'failing Web startup security' with automated scans. Automated scans are useless for finding all but the most trivial of vulnerabilities.
There's almost no doubt in my mind that the only way to fix the situation is with education. I think that if your goal is to fix poor security practises, you should change your strategy to teaching developers how to be security aware, rather than offering a service that merely pokes around for a few well known vulnerabilities.
BUT, there are charlatans armed with little more than nmap and a cursory understanding of the output that sell themselves as penetration testers, for a whole lot more than I assume this service will cost.
This, at least, is normalized, repeated, reported consistently, and history is kept. That's worth something.
It's incomplete, but I assume at the price point, it will be more cost efficient and trustworthy than the other options -- the most popular of which is doing nothing.
Usual rant about false senses of security elided for brevity.
Just as educated programmers can introduce bugs and it’s impossible to find a programmer that will write bug-free code, it’s also impossible to find one that will write vulnerability free code. Therefore educating programmers is not the solution; it’s part of the solution. And automated scanning is also not the solution, but it’s a big part of that solution.
> Automated scans are useless for finding all but the most trivial of vulnerabilities
I’m really curious about how you can make that claim. Automated scanning can find many very important vulnerabilities in a very accurate manner. We regularly receive user comments like this one:
“We have external scan performed by third party that found some vulnerabilities of our sites. Using Netsparker we were able to validate them and work on fixing them. More than this we found few others not reported by them that we had to patch.”
This proves that even a highly-paid security consultant can miss vulnerabilities that can be found by automated scanners. Not to mention that lots of security consultants also use automated scanners to speed up their task.
Finally, there are so many other issues to learn about that you can’t expect your developers to keep up-to-date with all of them: new attack techniques, new vulnerabilities that affect a framework, etc. So, even when your developers are educated about writing secure code, you can still create vulnerabilities in your application. Or when your code is secure in your staging environment, it can be not-so-secure on the production environment because certain settings are different etc.
> merely pokes around for a few well known vulnerabilities.
Modern web app scanners don't really work around the concept of testing well known vulnerabilities, there are classes of vulnerabilities such as LFI, SQLI, XSS etc. and scanners are intelligently (similar to an actual attacker / penetration tester) test these out.
You might be thinking about old school tools such as Nikto (also referred as CGI Scanners). Today, even those tools are doing a little bit more than just looking for well known vulnerabilities.
At my company we've been looking into this. We've been in contact with a security company who gave us a quote of £6k, for probably what amounts to not much more than just a port scan. We've only got 4 VPSes, so this seems a bit crazy! Keep up the good work, I want this now! :D
The scanning and vulnerability detection mechanisms will be the same as those used by Netsparker, which is already built, tested and in widespread use. What we are currently building is the SaaS application that will host this. We are aiming for a very early beta version some time in August.
Just wondering; how does this differ from products like StopTheHacker and SiteLock (amongst others)? I mean, the idea is a solid one, but there's a few players in this arena already.
Sites like those generally in the business of seal-selling or doing very light security checks.
Many of them will only report out of date vulnerabilities (quick & easy to check) or very simple issues limited issues. Still a legit business obviously. Though the benefits are limited. Best way to check this, get a scan request and watch your logs. Most of them won't even do a POST request. How can you really check for vulnerabilities unless you test all the functionality in a web application?
I guess we should explain this in our website to distinguish ourselves from that pack.
Just so you know your responsive design is covering the request invite submit button when your browser goes somewhere below around 900px wide (Using chrome latest dev build).
This is a topic that we're still hotly debating. Since we haven't yet been able to fully gauge the level of interest and the size of our potential market, it's hard to give a definite answer. But, we're very open to feedback.
A few exist but are priced for corporations looking for PCI compliance. If you can position yourself like a Pingdom or Pagerduty but for security you will do really well.
Thanks. What you have said is exactly the rationale behind what we're building - a move away from expensive and restrictive enterprise solutions toward something that works (both operationally and economically) for smaller businesses.
There's almost no doubt in my mind that the only way to fix the situation is with education. I think that if your goal is to fix poor security practises, you should change your strategy to teaching developers how to be security aware, rather than offering a service that merely pokes around for a few well known vulnerabilities.