Recently, I’ve been working on another side project called dns-db. It is a big and automatic security database like shodan and fofa(or zoomeye). Now it works well and gather millions of useful data with litter compute resources.
Lastday I see @ring0 post some screenshot about the easm product. One of the screenshot is at below.
I’ve been the fans of @ring0 since I’m in college. When ring0 post the screen. “It’s time to rock.”, I told to my self.
In my roadmap. I’m going to build a saas platform for easm. A huge platform with user register、subscribtions、API and good user interface. I’m not so good at frontend development and it got very slow.
After ring0 share the screenshot. I asked my self:
“What is the core competition of Open EASM? is the user register and subscribtion system or the good interface?”.
“Never”
As I noticed in another post “程序员の副业,旭之民科遐想“, Three importent things for a saas product is : Use Case、Agorithm and Resources(aka Cost), Compare OpenEASM and other security company.
Use Case:
- We all got the same and clear use case, help company or pentesters get the exposed assets in public Internet. So we don’t pay much attention on this.
Agorithm
- It’s the most interesting part. I’ve been working in cyber-scaning for a very long time and have been developed a lot such as DAST and high concurrency system. I’ll be able to cover the dataflow by myself. Use the best agorithm to make sure the data be clean、useful and fresh.
Cost
- Security company will need a 5-6man team to build the system. for example, 1 pm, 1 full-stack web developer, 1 or 2 security engineer, 1 UI desiginer and 1 tester. And EASM is a complex system, It will need third party data such as shodan/censys etc, If easm team desided to built it himself, It would cost more. (this is why they are be able to devlelop a good ui).
- For Open EASM. We move fast, and no revenue pressure. It’s a very import advantage for the project. Not the UI or interactive logic. If the project got some fundation, I think it would be easy to hire a frontend end engineer for build it. But before it, We must forced on the real thing we want to do and the real problem we want to solve.
So I will force on the agorithm development and suspend the new web tech learning (such as Next.js / react / tailwind…)
Let’s wait for the first demo.
The easter egg
I found ring0’s ASM has a domain named openasm.net. And our openeasm is openeasm.org (Registed some month ago,no web page due to time reason).