"the build container now has a privileged sidecar that does all of the signing, uploading and everything else instead of the main container with user code having that logic."
Does this info about the fix seem alarming to anyone else? It's not a full description, so maybe some important details are left out? My understanding is that containers are generally not considered a secure enough boundary. Companies such as AWS use micro VMs (Firecracker) for secure multi tenant container workloads.
HostedScan is a SaaS business which runs external vulnerability scans to help companies protect their networks, servers, and websites.
We are two technical founders who built the initial product. We now have hundreds of customers and we're looking for our first employee - a skilled software engineer, who is technically minded, but who can also contribute to the direction of the company. As the first employee, there will be many opportunities to think creatively and help set the product roadmap.
Our stack is written in Typescript / Javascript - React on the frontend, NodeJS + MongoDB on the backend. We manage a fleet of vulnerability scanners with Docker and infrastructure automation tools.
1. We're using IPv4 at this point. We haven't looked much into IPv6 yet. That's a good thought that configurations could be different.
2. The free scan runs all of the same scans as the paid plans (you can just run more volume on the paid plans). The one scan mentioned on that page that is not set up yet is the SSLyze scanner.
3. At the moment, additional pages of the same site would not be separate risks, the different instances are listed together under the same risk. We're looking at adding more flexibility in accepting risks, such as rules applied to all targets or groups of targets, maybe we can provide an option to break out instances separately when doing this. If you scan multiple sites/addresses we do create a separate risk for each.
We provide a turn-key service to run the industry-leading open source vulnerability scanners on your websites and servers. You get an alert when any new risks are detected.
We have a nice Free Forever plan.
Most of our development (aka “plumbing”) was in data modeling, ux design, and making sure these scanners stopped crashing!
Yes, we believe in open source contributions, and not just leeching. We are from Seattle and welcome any comments!!!
Does this info about the fix seem alarming to anyone else? It's not a full description, so maybe some important details are left out? My understanding is that containers are generally not considered a secure enough boundary. Companies such as AWS use micro VMs (Firecracker) for secure multi tenant container workloads.