I met those guys yesterday at the cyber security bootcamp in Berlin. I think its a great product and provides a huge value for sys admins. Setting up own web servers and deploying cloud products is really simple (and cheap) nowadays, but keeping everything secure is not a walk in the park.
I tried the test on our page... and found some stuff that needed (asap) fixing.
@almroot hey! just a few q's as I'm new to the space :)
1) what encouraged you to build this?
2) what's the ultimate vision for this?
3) what's the business opportunity
@eriktorenberg That's some great questions! :)
1) Everything is getting hacked all the time - we know security and how to spot the flaws in systems. So we thought that by making a user (developer) friendly product that's accessible and easy to use is an obvious match.
2) Detectify's ultimate vision is a secure internet for everybody.
3) Our competitors (and most of the IT security industry as whole) focuses mainly on fortune 500's and larger enterprises. However, most of the web is made up by smaller businesses and their websites. Those smaller businesses either lack the comptence, or can't afford expensive penetration firms - that's where we step in.
@almroot I have been looking for something like this. Very interested in what you guys are doing! Are you considering a plan in between free and $100/mo? Perhaps an on-demand scan (that someone could run after pushing major updates). Also, how do you handle asynchronous requests to endpoints that are not obvious? I've used Burp scanner before which proxied my network traffic to see where my requests were going.
@rsweetland That's great! The reason to why we don't push for on-demand scans is quite simple. Say you have a wordpress installation today, it's secure. Two months from now, it's not. Someone found a new vulnerability in WP and you might have forgotten to update your system. Then it's game over. We encourage our customers to sign up for recurring scans so we can take care of the threat model towards your application. Although! We do provide an API, so you can integrate with us and push an on-demand scan on whatever event you like (e.g, when you push a major update).
Regarding asynchronous requests: we emulate the DOM and actually "click" on (or interact really) with elements that have JS-events attached. Which means we will fire whatever requests (AJAX?) that's bound to the elements and start pentesting those end points as well. If you have a heavily state-dependent application (e.g, single page JS), then it migth be a bit of a problem without manual configuration from our end. Although, nothing is impossible. You're able to record predefined paths for us to crawl by using our Google Chrome plugin as can be found in the dashboard.
@almroot Makes perfect sense about the ongoing testing model. And awesome tha you emulate the DOM – that makes things much easier!
Last question – can I sign up for the free plan to try it out? I'll upgrade if it looks like it's going to work for us.
@rsweetland We do offer a 14-day money back guarantee for the professional plan in case you're not satisfied. Although, of course, you could just sign up for the non-commercial plan to try it out first.
Go for it! :)
M for iOS
Backchannel
Detectify
Backchannel
Detectify
M for iOS
followupthen
Detectify
followupthen
Detectify
followupthen
Status Page