What are you using on the backend to actually scan it? Is it just ZAP / Burp Scanner? Or are you scanning the code itself, and just using a Semgrep / Snyk approach?
The landing page being free-tier Framer is a little sketch, the main contact should also probably be a form or an email address instead of a non-US phone number.
Is AI used throughout the entire process or just mainly focused on providing remedation recommendations based on the output of other tooling (scanners, JS analysis, secret scanning, etc.)?
Interesting project! Looking forward to see how it works and evolves.
A lot of people don't self-host it, even though it is open core. This is due to their docs being garbage and tons of differences between the offerings, so you can't even rely on the main docs if you're self-hosting.
It's easier to just become familiar with a DB UI tool like Beekeeper or DataGrip and spin up your own things. I'm also not a huge fan of being "locked-in" to so many things (including their auth). I think most projects would be better off keeping these parts separated, even if they are using third-party services to handle them, as it would be way less overhead to migrate out.
Yep! I was sad to see Skiff shutting down, as I loved their UI and there isn't a lot of tough competition that can match ProtonMail.
I had already left Notion as the app kept getting slower / bogged down and they added tons of useless clutter, and refused to support any form of E2E/local encryption.
I'd say it doesn't exactly meet the minimum standard for a CVE, as it's more of a technique vs. an actual vulnerability in an application/library. If there was a repo that had a vulnerable component that was currently infected through the manner described, that specific instance would probably qualify as a CVE.
Since this is a technique / overarching issue, it leans more towards being a CWE. Maybe something like:
- CWE-506: Embedded Malicious Code or
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere or
- CWE-1395: Dependency on Vulnerable Third-Party Component
That's how medicine works. It sucks to have conditions that are hard to treat.
To be clear, a lot of people have very valid complaints about the US healthcare system. I'm not saying everything's perfect or even that every improvement would involve a tradeoff. But every medical system on the planet, including whichever ones you have in mind as better than the US, has controls on how expensive drugs can be used when cheaper ones might work.
They host their own repos, and builds are done on their system, but the layout is pretty simple. Numbered, named files in asciidoc, markdown, etc. your choice.
It really is a big difference from each person on how they "break into" it. You've got great foundational qualifications, and probably just need to layer on extra "security" ones, if you don't already have them. If you're looking to start a company / start freelancing -- I've got no clue about that though.
If you're just dipping your toes further into the web app security side, OWASP has great labs, resources, etc. They have the WSTG (more for pentesters) and ASVS (more for devs), and of course their cheat sheets as well.
PortSwigger has great resources to read through on vulnerabilities and labs that will cover a ton of different vulnerabilities. HackTheBox also offers certification pathways: CBBH and CWEE, CBBH is more beginner/intermediate and involves a blackbox approach, where CWEE is more whitebox (from what it looks like).
Just because systems have gaps, doesn't mean the orgs actually want help with those gaps, esp. unsolicited. You could always take a look at bug bounty as well (through HackerOne or BugCrowd), but it can be pretty brutal for a beginner as it can involve a ton of recon or "going deep" to reach untouched areas of an app.
Externally / Blackbox options would be Nessus, Nuclei, OWASP ZAP (as you mentioned), and Burp Suite. The two latter only work well when used in combination with manual methods though, as they won't pick up business logic, auth bypass, MFLAC/IDOR, etc. on their own.
A lot of scanning templates / rulesets won't be 100% accurate or up-to-date, and will easily miss a lot of big things, so having it pentested by an actual person is always important.
From the source code side of things, Semgrep / CodeQL, Veracode / Snyk, Burp Enterprise (CI/CD), etc. are good options. But again, most places shouldn't get just scans, there should be a manual component involving a security professional who knows what they're doing.
XBOW is making some pretty cool strides in the meantime from a blackbox perspective though.
A lot of aggregators will also not allow your blog to be posted if it's on a newsletter site like Substack, Patreon, etc.
I use GitHub Pages for hosting, Porkbun for the domain, and Astro for the blog itself. EZPZ to manage and very straightforward, plus Astro's docs are great.
You'd be surprised how much the government would potentially hurt itself in its own confusion. Not all parts of it are aligned to the same beliefs / mission, and there are certainly parts that believe in the saying "Why are you worried if you have nothing to hide".
There was a rather interesting criticism of the recent wide-ranging cuts to USAID that basically said it wasn't unlikely that some of that USAID money was being used in clandestine intelligence operations (supporting the tribe of this warlord or that, paying someone off, rewarding allegiances, whatever) that DOGE and perhaps even most at USAID would never, ever be cleared to know about. With the inability to prevent those aid packages from being cut without also blowing their operations, the intelligence community would just have to sit and watch it happen.
I of course have no way of knowing if that's true or not, or if it is what damage may have been done, but it's interesting to consider.
I don't claim to be an expert, nor to be able to speak credibly on the interactions of the millions of people in government.
I just remember hearing an anecdote from a friend with ties to Signal that some part of the government wanted to recommend it and another part slapped their hand because they didn't want to encourage people to use technology that law enforcement can't breach.
Even though I just use it for casual conversations with friends, that gave me some extra confidence in using it.
The landing page being free-tier Framer is a little sketch, the main contact should also probably be a form or an email address instead of a non-US phone number.
Is AI used throughout the entire process or just mainly focused on providing remedation recommendations based on the output of other tooling (scanners, JS analysis, secret scanning, etc.)?
Interesting project! Looking forward to see how it works and evolves.
reply