Can you help me? A request of my readers
I don’t usually ask for much. In fact, I don’t recall the last time I actually asked for anything of my readers. But I do have a favor to ask, and it’s one that could really help me out a lot.
As you’re probably aware, I’ve been working on this product called AuditShark for quite some time now. Niggles of terminology aside, I originally built it as more of a platform than an actual product. The public face of what has been called AuditShark was put out there as an initial attempt at a product with far less thought and research than I probably should have done. Currently, development of tools and support code is ongoing, but I really need to develop a solid product direction in the very near future.
With that in mind, I’m exploring a pivot with AuditShark to a new market and I’m hoping you can help me with that.
Do you run your own web server? Are you concerned about the security of the web servers that you do run? If so, I’m asking for people to take a brief survey for me. My hope is that I can validate the market and identify people who are willing to be early adopters for the product.
I really appreciate your help. I’ll keep you posted on how it goes. And before I forget, I’ll be doing a MicroConf 2012 roundup in the next couple of days.
After taking the survey, I was thinking about how important simple configuration has to be for me – thats where the magic has to happen on the product side. I would like it to be as simple as uploading it to my server, unzipping it, opening a configuration page, and thats about it. If it can be even easier than that, even better. Otherwise it wont even be an option for me in the short term considering our immediate bandwidth.
Thanks Matthew. I appreciate the feedback. The way it would work is that you install it and supply an API key. Out of the box, it would check for everything and alert you to problems. If you want to ignore some of those things, then you mark them as an Exception and you won’t be notified about those particular “problems” in the future.
If you really wanted to do anything that’s not in the default library, you could build your own Control Points and check for whatever you wanted to check for. You would have to either learn how to build them, or contract with me to have them created. I’m still working out the setup options, but I intend for it to be simple and straightforward out of the box. But the options to meet complex requirements would be there.
I’m in the segment that would consider your product, but I don’t think it’s something I’d buy.
– By using Puppet or Chef, I already get the auditing plus I have a script that can regenerate me a new server that looks like the one I already have.
– If I were extra concerned about security, managed hosting is really not that expensive these days. Wpengine and whatever copyblogger is doing focus on the wordpress crowd and specifically on security. There are other services that help with apps, such as EngineYard if I’m doing Rails development, or the managed offerings from the hosting providers.
– The last thing I want to hear about is how I can tweak thousands of control points. I’ve done work with several security event monitoring products over the years and that’s always the problem – spending hours tuning the thing to get rid of all the exceptions. And then I’m left wondering if something snuck in under an exception.
– This only helps me sleep at night, not my customers. By buying an SSL certificate I get a free weekly scan that tells me about potential vulnerabilities, plus I get to show a badge saying I’m hackersafe/protected/whatever. I think the scan is fairly bogus, but at least the money I paid is getting me credibility with my customers.
– I know it shouldn’t matter, but there’s a reason that Symantec/McAffee/Norton/etc don’t have cartoon icons and logos. It doesn’t build trust.
I’d suggest looking at some of the frameworks that bigger companies use like ITIL and FCAPS, and see how you can build something that fits some of those processes. That’s if you want to stay on the enterprisey route. If you do want to go after individual web servers, I’d think about focusing your message on the apps they use — “We can verify WordPress security remotely at a much lower cost than a managed provider”.
My two cents from a country that just eliminated the penny 🙂
Awesome feedback Sean, thanks! From what I could tell, Puppet and Chef certainly have some overlap, but what I couldn’t tell was whether they provide any kind of guidance. They also appear as if they’re more for enterprise management of IT infrastructure, rather than focusing on configuration.
I completely understand what you mean by having too many control points. You wouldn’t want to. That’s an obvious problem and one that I’m still working on. There’s a difference between being able to, and actually needing to do it.
I’ve looked at ITIL before and it’s pretty much a nightmare. I really don’t want to go into that enterprise market any longer. There was a time when I did, but I’ve changed my mind about that. I considered going after WordPress security a while back, but application security is an entirely different ball of wax. Roughly 30% of the people I spoke with in the past were concerned about WordPress security. It was a good percentage, but the space of the problem seems small and large at the same time. I haven’t dug into it, but my guess is that just by updating frequently, you would avoid the majority of the WordPress security problems. I could be wrong on that assumption though.