Is anyone dealing with a large volume of vulnerabilities and getting tired of vulnerability scanners giving mundane results and not explicitly saying what to fix for your environment? We are looking for beta users to try out our MVP; it's all based on open-source too, and we are offering the service for free! There are actual experts with over 20 years of experience who will look through the vulnerabilities and prioritize according to your environment at the end of our MVP to make sure the user doesn't waste more time investigating solutions and can go back to working on their product. Automating is nice, but you do need a human to look through at the end we feel
apologies for hijacking your post OP but I am curious if people flocking to such a post would be interested in being beta users for us too
More scanners aren’t what we need because vendors still can’t meaningfully answer the most important questions:
- Is the vulnerability valid based on the environment it was found in? Solve this and you’ll reduce enterprise vulnerabilities by probably 30-40%.
- What are the compensating controls? Identify these automagically and reduce the vuln risk scores based on what controls are found, you will remove another 30% of vuln work for engineering teams
We don’t need any more scanners. We need better asset and vuln management.
That is exactly what we are targeting! We know it's hard hence looking for users for whom we can tune the controls better for someone's specific environment - we will be able to do this as we have years of experience. This is kind of a side project/service we are going for and not our main business, so we are not looking to sell anything, but we are looking to understand the problem and space better.
Complete support is provided through Slack to (or however you wish), so you know you don't have to wait for any kind of support.
We know there are plenty of scanners out there. Hence we are using an open-source one and working on how we can improve the 'what happens after' part by using human-led expertise to save others their time
- Is the vulnerability valid based on the environment it was found in? Solve this and you’ll reduce enterprise vulnerabilities by probably 30-40%.
--> Having a human expert confirm and filter the list is what we are offering to our closed beta users for now so yes that is what we are targeting to solve!
- What are the compensating controls? Identify these automagically and reduce the vuln risk scores based on what controls are found, you will remove another 30% of vuln work for engineering teams
--> We have a list of controls we've identified, but we know each environment is different, hence looking for users we can tune our controls to
We are particularly looking for users who are in small organizations looking to grow rapidly. Ultimately, we are looking to save other devs time by taking over the cumbersome work.
At what point though is this just consulting? Since everyones risk tolerances are different and may or may not have good network architectures or software practices how would this apply generally to other companies or networks?
Exactly. A lot of times the vulnerability exists in something you’re not using, but it still shows up in reports.
Sifting through that and writing up why that vulnerability doesn’t actually apply to your environment and showing evidence of such is an incredibly time consuming process. It’s honestly easier to just patch it, a lot of times.
I would add the additional problem of CVE's being devoid of any useful information which lead to generic tests being created by vulnerability scanners as they have the same lack of insight as everyone else thats trying to patch the issue. Thus creating higher false positives or wasted effort trying to confirm an exploit yourself. I get not wanting to provide a PoC because "script kiddies" might use them but if we want vulnerabilities patched regularly you have to provide better assurances that they are valid and that we can show they are patched aka tests.
I've seen startups claiming to solve these with reachability analysis. I think upgrading libs regardless could be a better solution, particularly for high-risk vulnerabilities.
But is upgrading libs ENOUGH? and does that make you feel confident that you are secured?
We are not claiming to solve using reachability analysis or claiming to solve anything but saving dev their time at this point!
When I was responsible for resolving vulns in my previous companies' docker images, in many cases upgrading the libraries was enough to resolve the vuln.
My role, and others like me, need to get that critical vuln number down. Meaning yes, upgrading libs was enough.
Mind me asking how big your organization was at that point? And were you the one responsible for patching after if something didn't resolve with upgrading libs?
Shouldn't your analysis/understanding show that upgrading the library is enough? If a CVE or vulnerability scanners test isn't telling you the problem that needs to be solved upgrading a library or anything else won't make a difference and you wouldn't know the problem either way.
Approaching vulnerability management from a developers view is a very narrow scope.
Yeah we have realized the same. The 'automated' options don't cut it anymore or like don't give answers specific to your environment, that's why we are offering human expertise to have a look-through and confirm it for free at this point in our closed beta. We mostly want to run this service/microproduct for now and see how we can tune the controls specific to one's environment
This is all very cool but also seems involved. Your value proposition is enough that we may be willing to do some work to set it up. However, the question I have is how much and is that enough to sustain your operations? Your solution looks very interesting but we wouldn't want to do all that work only for your company to disappear or get acquired because of cash flow problems.
@hangonhn and @arejaytee, I realized I may have come across as too pushy in asking you both to sign up as there seemed to be some interest. Totally understand if you maybe sketched up to sign up. Feel free to let me know any other way I can reach out or drop your questions here and I can try answering them
The more toned down version is I find the whole thing suspect. It costs someone time to do this, so "free" doesn't scale. That someone would want to Trivy install, tuning, monitoring for "free" in return for remote access seems like a big red flag.
It's an unused account as I created a new one using my company email! Every account has started somewhere? I'm a new hire to market the side projects we are starting on and getting user feedback, understanding the problem more to solve it.
And yes, the current model cannot scale for sure as there's a human piece at the end. We aren't looking to scale at the moment, just exploring if there can be a solution to this space we can come up with.
Again, like I mentioned above, just looking for users we can actually help as this is a common problem many face if they aren't at a big organization.
Also mentioned this isn't our main business, something we are experimenting with hence we are in closed beta and offering to do it for free for only a few. We have human labour costs to lol
We offer to install it for you for ease or can guide you on installing it yourself, and we will obviously be signing NDAs and whatever a user would like to build trust. We are literally in the business of DevOps..nothing malicious my man, just exploring a different kind of MVP but I understand the distrust
Seems like you started a reply before my toned down edit. Apologies for the harshness. I can understand it as a way to explore the problem space more and probably as a funnel to upsell other devops services.
I also get that products, and people, have to get a start somewhere - unfortunately scammers and mal actors look similar. I figured it was worth raising for others to consider, but did so near the bottom on the comment chain rather than top level so as to not derail discussion.
all good! I'm pretty new to the entire tech space as I'm the new hire brought in, so I understand and your response also helped me understand I should try building more trust in the copy
Yeah a possible upsell or doesn't have to be if this service is actually useful to anyone out there. We will potentially start charging a small fee (dependent on so many other factors, but hey you'll be getting an actual human expert in this age of automation to speak to eitherways) on this months from now - we haven't decided or thought of anything further as we don't know yet if people feel this is enough of a pain to be open to solutions, as obviously one can do it themselves to but at what cost of time?
any other feedback you may have on such a service or legitimate places to find users this can help would also be appreciated!
no worries, lol I responded before to your original comment before I saw the edit.
it's 'free' only for the closed beta as duh we are clearly stating there's a human expert at the end who will be reviewing and going through with it.
We also know this model is not going to scale because of the human aspect, but we know this is a problem most people face if they are from small organizations, so we are looking to see how we can solve for steps AFTER the scan. This is just our first step as we try to learn more.
Trivy was the choice of scanner for now, but we don't tend to stick with it as there can be better scanners out there depending on the environment- it's just what we chose for the start, open to discussions if a user has a preference for a different scanner
Looks nice. Only critique I would give is the fact that they use public DNS IP's in the examples to scan hosts I know they expect the target audience to know better, but you'd be surprised
I think the DNS IPs are just example IPs to be scanned. You're not supplying a DNS to use for domain lookups. Using them in the example is perhaps confusing that there's some sort of DNS argument required.
That's interesting. But it's under a separate subhead and takes additional config and different syntax (though the same subcommand name, which is awkward)..
I think the confusion still remains. Scanning "domain-name www.example.com" will not scan a domain. (And www.example.com is not a domain name, but maybe I'm being prescriptivist here? Have we colloquially abandoned the distinction between hosts and domains? Even if so, I'd argue that a network tool should not use the colloquial sense, but I can go check for kids on my lawn if that would be more fruitful...)
Most programs won't pay for scanner output and will require work that demonstrates the impact of the finding, etc. Several programs I've seen actually state that automated scans are out of scope and ask the bounty hunter not to use them. With that said, this may be a good recon tool to hunt for bugs, if its allowed by the target. I am not sure how much better itd be than Qualys or Nessus, etc though.
I like the idea for personal use. I was just looking for something similar the other day and for once I'm happy I don't need to build it.
this seems to be airing a frustration that has moved beyond accuracy in the process, companies offering bug bounties may have done the bare minimum at one point in time but every production push they do changes that, and potentially reintroduces simple scannable vulnerabilities.
That's fair. We get numerous reports from script kiddies reporting "vulnerabilities" that aren't, because they don't understand the tool that they're running, or the output that it produces, or why it isn't relevant. It's possible that they catch a known issue, but the reality is that the majority have no idea what they're doing.
apologies for hijacking your post OP but I am curious if people flocking to such a post would be interested in being beta users for us too