There's definitely a gap to fill in the web application security market, especially for startups who want to budget ~1k-5k to security and are simply outbid by established companies (simple, short web projects by good appsec teams start at around $10k).
That said: I'm not in love with the messaging here. The push/pull isn't between ineffective, inexpensive tools and ineffective, expensive consultants. Appsec teams are very effective. They just cost too much for startups.
My recommendation: stop positioning against security products and services. Nobody in the startup market really uses them and they don't care about their track records. Meanwhile, people in enterprise and large software markets are automatically wary of automated tools (like Appscan and WebInspect on the low end, or Veracode and Fortify on the high end).
You have a compelling story just by pitching the value of automated on-demand security testing at that price point. The direct comparison to competing tools just begs questions you don't want to answer.
(I've recommended Tinfoil to lots of people and continue to do so. Definitely glad they're finally launching!)
"The direct comparison to competing tools just begs questions you don't want to answer."
I agree. Additionally, I'm not sure who would actually subscribe to the paid version of this. Startups generally don't have a plethora of websites for testing. Someone with 250 urls to scan per month is likely going to be asking: what about my other (non-website) assets? Furthermore, if I were the IT person on site for a 250+ website installation I would be asking: what do I get out of this I don't get out of running another free tool such as Nessus (the answer, I'm afraid is going to be "less")? Sure, having to to go through the Nessus install process is kind of a pain (although this realistically represents < 5 minutes of my time); but as soon I saw that I had to add some kind of website verification I stopped there as well.
To clarify: it's not 250 unique sites, it's 250 pages per unique site. That is, news.ycombinator.com could have thousands of URLs. With the basic plan, we'd scan the first 250.
We offer a lot more than Nessus, in terms of doing a deep-dive on web application security. With that said, Nessus does a better job at network security, for example; this is something we're working on.
If I were you I would consider a model where I would be to do a full scan, display only the top X vulnerabilities found, and simply charge more to show the rest of the results.
Another thing I'm curious about: does this work on a pure client-side web application (e.g. my app is just one html page + javascript that loads all the html from templates)? Are you including static urls or somehow tracking "clicks" into a web app? Actually, most of the things I would concerned about in my web applications are things like not validating that I'm correctly doing correct validation in POST-requests. I'd be interested in seeing if you guys are doing that kind of "fuzzing" in that respect (though not sure if there is an automated way to do that safely). Additionally, I'd be curious to see what you detect Nessus/BurpSuite etc doesn't in terms of web application security.
Anyway, neat idea, perhaps I'll check it out a bit more thoroughly and do a comparison.
We've done some tests, and many of our customers would much rather have a basic scan and see the full results of the scan, than only be shown a piece of the scan. It gives off the impression that we're holding their vulnerabilities hostage, and that's definitely not what we hope to do!
The best test to see how we differ from Nessus/Burp is to try it yourself! A lot of the vulnerability classes we scan for are very similar, but the ways in which we scan for them are different. We do offer our Standard Plan for a free 30 day trial. Would love to hear what you think :)
Yea, agree with the above comments. This can all be done with Nessus (for free). What do you mean by `deep dive`? Are you reselling Burp? What do you plan to offer on the network security side? Keep in mind you should be targeting people who know nothing about security (you may want to play with the wording on your site). because experts already have a tool bag of tricks that can exceed these offerings for free.
We've written a lot of custom tools to do some heavier auditing of a website than off-the-shelf Nessus. With that said, we are definitely targeting those companies and teams that don't have the time or experience to be focused on setting up and running Nessus consistently.
Our SQLi and XSS modules in particular are quite a bit heavier than Nessus', but there are other features like page de-duplication that optimize speed as well.
True; wasn't saying Nessus is a good tool for web applications. Quite the opposite.
Burp Suite is great for anyone who knows what they're doing; for anyone that isn't already a security guy/gal the UI is near impossible to figure out, and the results aren't particularly actionable. That's much of what we try to fix.
Not trying to be argumentative, just clarifying! :)
It's good to have a fast check for these things, but you realize how simple that stuff is to spot, right? Insecure cookies and HTTPOnly (which: HTTPOnly is a bit of a band-aid; it's not a vulnerability not to have it) are trivial regexes on set-cookie headers; methods is something you can do with curl and a shell script.
If you're spotting these kinds of things only after using a 3rd-party tool, consider whether this is the kind of stuff you want to build into your integration testing.
Sorry! I know you do (for the benefit of the thread: I've been talking to 'borski for awhile about Tinfoil). I'm not commenting about Tinfoil so much as developers who are surprised to not be using secure cookies. :)
Great service! I got stuck at the point where you need to upload an HTML file or do one of the other two options but I understand why it's necessary. I'll get it done when I have some time so I can see the full report.
Requiring adding the page or modifying DNS or the home page (adding custom meta tag) is awesome. That way, I can't set them to scan a site I don't control. Security scans can be very invasive and I don't imagine admins want this done unknown to them on their live sites.
Nit picking: I know the copy isn't written for security geeks, but boasting of "MIT engineers" (mechanical engineers?) and "heavy security experience" doesn't ring of a strong correlation to me.
Could you expand on the bios in your "About Tinfoil" page? I don't know if an executive looking at that page would be convinced you're all security experts (and I know this isn't "cool" but slightly more professional profile pictures might help)
Other than those points and the name ('tinfoil' doesn't inspire tons of confidence in me, but whatever, it's a name) I like the idea and presentation. Good luck!
(more notes... i signed up for the free account, added my website, it brought me to a page that did nothing. i tried to sign in and it said i needed to confirm my account. okay, a notice would have been nice... i confirm the account and log in, and my website i added initially is not there? ok, i add it... now it's asking for my software stack? that seems slightly unnecessary, but okay, i try to remember what i'm using. now i'm done setting up and verifying and finally scanning.... the picture slideshow is cute, but unnecessary. the manual scan i started is still sitting there... not sure what's going on but it doesn't look like it's doing anything... my e-mail now says a report is ready, though the page never changed. i go check it out. looks nice, fairly easy to browse around. i click on 'All Stats' and a column in the lower middle of the page has vertical text. i don't know about you, but my head doesn't like to tilt 90 degrees to read text... i look at the 'Modules Run' section and i don't see SSL modules, though i added an https:// url. considering the recently popularized SSL exploits i would probably add a module for this. for security geeks like me, having a Knowledge Base of documentation of what your scans look for would be nice for reference)
I think having the home page marketed towards is a good plan because most small to medium businesses probably don't have security experts. In addition, having a not to hidden "Nitty Gritty Details" page for the security experts would be a great compromise.
That said: I'm not in love with the messaging here. The push/pull isn't between ineffective, inexpensive tools and ineffective, expensive consultants. Appsec teams are very effective. They just cost too much for startups.
My recommendation: stop positioning against security products and services. Nobody in the startup market really uses them and they don't care about their track records. Meanwhile, people in enterprise and large software markets are automatically wary of automated tools (like Appscan and WebInspect on the low end, or Veracode and Fortify on the high end).
You have a compelling story just by pitching the value of automated on-demand security testing at that price point. The direct comparison to competing tools just begs questions you don't want to answer.
(I've recommended Tinfoil to lots of people and continue to do so. Definitely glad they're finally launching!)