Tinfoil, a security company that launched its public beta on Wednesday, hopes to weed out web application vulnerabilities -- and the security consultants that fix them -- by helping smaller companies do it themselves.
“The issue with security right now is that it’s too difficult or too expensive,” Ainsley Braun, co-founder and CEO of Tinfoil tells CSO.com.au.
Web application vulnerability scanners are nothing new but, Braun argues, cost and a lack of security skills often means businesses leave them unresolved. But with the right information, she argues, internal IT staff should be fully capable of fixing them.
“If you understand your site and you built your site, you should be able to go in and fix your vulnerabilities without a security background.”
The former US Army UX/UI designer and Booz Allen Hamilton consultant wants Tinfoil to “democratise” web application security by providing customers “actionable results” that give customers the tools to fix those flaws themselves.
“We’ve been in the consulting business before and we’ve seen companies turn away clients because they can’t afford it, and really the biggest issue is that there are too many companies out there with vulnerabilities that should have access to security tools,” says Braun.
“We’re really targeting the small and medium enterprise businesses who aren’t quite at the point of having their own security team, but it’s also difficult for them to afford a security consultant to come in and fix their vulnerabilities for them.”
The company offers its scanning and vulnerability reporting service for between US$59 for monthly scans across 250 URLs, US$199 for weekly scans across 1000 URLs, and US$799 for 2500 URLs.
While other companies do provide reports, Braun questions their usefulness to the thrifty operation. Highlighting the two extremes Tinfoil hopes to slip between, she points to well-regarded web application security company WhiteHat Security and security giant McAfee.
“White Hat is one we look at often. They do have a website scanning tool, but they tend to lean towards the consulting side... When you’re looking at McAfee Secure it does do daily scans, but they are very limited scans and the results that you get back aren’t very actionable. Sometimes they will send you a link to a wiki article when it’s not necessarily relevant.”
“We offer, tailored to your stack, ‘how to’ fixes, so that you can go in and fix your vulnerabilities on your own. You won’t be dealing with an 87 page PDF which says, 'Hey, here are all your online vulnerabilities, now just go fix it.' That’s just not useful.”
While scanners such as Tinfoil might be able to replace some human functions, Braun concedes that context remains the human edge -- a gap that Tinfoil in the longer term hopes to bridge.
“The only difference between the scanner and human is that the scanner will go super in-depth while the human will try to understand the website it’s attacking and will try to get through different routes based on what the website is. You know, if it’s a financial website a human will go after the way a human will attack financial companies. If it’s a social media website there might be different ways to get in that they’ve learned through other security experience.”
“So ideally we start to bridge that gap. We haven’t quite built out that whole functionality quite yet.”