I had a very interesting conversation with Balázs Pózer and Levente Molnár the founders of Hackrate. It was just a get-to-know-each-other meeting where we shared our joy and plans about cybersecurity.

Hackrate

Hackrate offers, maybe I could call penetration as a service solution. It can be imagined something similar, like HackerOne. It is a Hungarian startup in this field.

The basic idea behind their service is to make ethical hacking more transparent. And it is a wonderful idea. If you ever had worked with a penetration tester you may know what I mean.

With pentest you face issues like:

• What is the scope?
• Are they even doing anything?
• When they try to test our application?
• What is the coverage of the test?
• We got a report… now what?
• Our SIEM is screaming. Oh, it was just a pentest.

HackGate

I had the privilege to hear and learn about their new product called HackGate. Probably, it will be an open-source agent. (Well, at least I hope it will be :)) It serves as an Authentication Agent to the testable infrastructure. An ethical hacker can sign up on Hackrate, and HackGate offers access to the target.

With the service, we can limit and control the scope of the test. The testers have an authenticated way to access the target. And every action can be monitored and measured by WAF and ELK.

While we were talking, I didn’t know when they will announce it, but today I saw a post about it on LinkedIn. I’ll keep it here as a future reference :).

• Introducing HackGATE

Thoughts

Interesting idea. Maybe we can have a look at how they manage to implement their solution later.

Open-source

When I talk about open-source, I often face critics. In my term open-source is where the community can collaborate to make a product more reliable, more feature-rich, more accessible, and so on. I had to do some research to rediscover this announcement from Elastic when they opened the code of X-Pack. But If you watch it you may get the idea.

Thank you, Shay Banon for summarizing some of the business concepts of how an open-source project can be successful and also profitable.

My advice to companies trying to create Client-side software is to go with open source. In my term client side is every type of code, which will somehow get out of your control. As your clients install it on a server or use it as a library. Basically, they will have a copy of your code. It doesn’t matter if it is compiled code or (this is a silly idea but still in use) obfuscated interpreted scripts. I can use reverse engineering methods to unpack the code or decode it and I’ll have almost the same source code available anyways.

So why not make it open-source in the first place? If our product is viable, then we can harness the power of the open-source community to make it even better. And with our openness, we can give value back to those who have trust in us.

Tools and recommendation

These are just some tips and tricks which can help your journey with the product :) I’ve already talked about them on our call

• Dev environment: https://tilt.dev, https://rancherdesktop.io
• Prod-like environments: https://www.rancher.com
• WAF: ModSecurity, Coraza WAF, Core Rule Set
• SIEM: https://www.elastic.co/security/siem

PS

I was very happy to e-meet you guys. And I hope you will succeed. :) Security is for everyone. Let’s make the internet a safer place together.