How do you discover your server’s vulnerabilities before they come to byte you? Romanian startup HackaServer comes with a great solution, helping admins get their servers tested for vulnerabilities by a community of the most talented hackers.
As Marius Corici, HackaServer’s CEO, describes it: “From a tech point of view, HaS is a platform designed for conducting manual penetration tests using the power of crowdsourcing, covered by anonymity and confidentiality. From a business point of view, it is a two sided marketplace where CTOs, SysAdmins, DB Admins and Web App devs meets infosec specialists to solve security flaws and vulnerabilities. ”
How to Web: How does the client interact with the platform?
Marius Corici: There are two kind of interaction depends on user’s choice:
CTF – Capture The Flag where the user will be announced that his system has been compromised and the tester will send him all the details.
FVF – Finding Vulnerabilities and Flaws where the users, who have a server on our Playground Arena, will receive a summary message saying that a vulnerability has been spotted in his system. This message will specify only the rank of that vulnerability (e.g. Critical risk, High risk, Medium risk, Info). In this case, depending on the rank of vulnerability or flaw, the user will pay to get a full penetration test report where everything will be specified.
HTW: So what is the workflow? Once the user is aware of a vulnerability, he repairs it and sends the platform back, for more testing?
MC: Yes indeed: Once the user pays for a vulnerability that was found in his system, the system will be updated and put back into “Playground Arena” for more tests.
HTW: How is the community of hackers created?
MC: Whether they are called black, grey or white hackers, crackers, skiddies, PenTesters you name it, they love to find flaws and vulnerabilities. They love challenges and every flaw or vulnerability represents a challenge for them, and what can be nicer on this world than doing what you love most and get paid for it? As a matter of fact, we already have over 1000 registered users as we speak and the community grows fast.
HTW: We know that you’ve been organizing some hacking events in several cities in Romania, like Bucuresti, Iasi and Cluj. What happened there, what was their purpose?
MC: Yes indeed, we organize events called “Hack a Server – Get Together” where we gather specialists from both sides of the market: CTOs, SysAdmins, DB Admins, Web Apps Devs and PenTesters. At those events we explain to them what it’s all about, how the platform can be used, what are the benefits and so on. Moreover being on leanstartup, we try to figure what can be best for them, while having fun.
Also this summer we had an idea of a free summer camp: “Hack a Server 2012 – Summer Camp” = 7 awesome days of PHP. Wonder what PHP means for us? PHP stands for Pool Hacking Party. 7 days of fun drinking swimming pool, gaming, bbq and coding. Everything on our expense. Even if it’s free of charge, there is a “catch”: We aspect to get the best coders and help us to take HaS to next level.
HTW: How does HaS make money?
MC: As it happens on any market place, we retain a commission from what testers get paid. This commission won’t be bigger than any other same business model. Security will never be perfect, but can be pushed to perfection. It’s an iterative process. The client (the user) will pay for each vulnerability/flaw that was finding on its system.
HTW: Can you tell us a few words about how the company is financed? Are you on the look-out for an investment?
MC: At this moment we are in bootstrap mode and that means we have to be very careful with our spending, and yes, we are looking for investors (once we get out of beta). We already know what HaS will become within 3 years.
HTW: What will it become?
MC: We have 3 directions, I’ll tell you two. The third one I’ll keep for myself… yet. HaS will become a major player for InfoSec and war gaming niche. In Infosec, beside HaS market place, our backend module will be open sourced and we aim CS faculties all over the world to use it as a platform on their security courses. It will be way more exciting to learn security while having fun. Isn’t it?
HTW: When do you plan to go out of beta?
MC: If Murphy’s Laws don’t interfere, after “Hack a Server 2012 – Summer Camp” but who can live without Murphy’s Laws? The final version will be out somewhere in September-October this year 2012.
HTW: Can you tell me a few words about the current HaS team?
MC: I’ve tried many, we left few. I tried to involve people that fall in love with the project because I’m a strong believer that money is a consequence of a “well done job” and not a purpose.
Well, it’s me, the man behind idea trying to change the world, in love with artificial intelligence and “gone with the wind” :-))))))
Marius Chis is currently CFO and the first investor in this project. He takes care of all our paper work and legal.
Walle aka Andrei Nistor, is the CTO (I love to call him Walle, it suit him). He is the one who did the most of the coding part, based on relevant feedback from team members or testers. He worked day and night to get the project working flawless, and made crowdsourcing pentesting possible.
Spok aka Alexandru Constantinescu, is the PR & Marketing Executive. He doesn’t talk much but he does a good jub. He impressed me with his determination when he told me how much loves the project and wants to jump in on marketing side with no initial financial interest, because he understands the development stages of a bootstrap leanstartup company.