Recently, I’ve been working on another side project called dns-db. It is a big and automatic security database like shodan and fofa(or zoomeye). Now it works well and gather millions of useful data with litter compute resources.
Lastday I see @ring0 post some screenshot about the easm product. One of the screenshot is at below.
I’ve been the fans of @ring0 since I’m in college. When ring0 post the screen. “It’s time to rock.”, I told to my self.
In my roadmap. I’m going to build a saas platform for easm. A huge platform with user register、subscribtions、API and good user interface. I’m not so good at frontend development and it got very slow.
After ring0 share the screenshot. I asked my self:
“What is the core competition of Open EASM? is the user register and subscribtion system or the good interface?”.
As I noticed in another post “程序员の副业，旭之民科遐想“, Three importent things for a saas product is : Use Case、Agorithm and Resources(aka Cost), Compare OpenEASM and other security company.
- We all got the same and clear use case, help company or pentesters get the exposed assets in public Internet. So we don’t pay much attention on this.
- It’s the most interesting part. I’ve been working in cyber-scaning for a very long time and have been developed a lot such as DAST and high concurrency system. I’ll be able to cover the dataflow by myself. Use the best agorithm to make sure the data be clean、useful and fresh.
- Security company will need a 5-6man team to build the system. for example, 1 pm, 1 full-stack web developer, 1 or 2 security engineer, 1 UI desiginer and 1 tester. And EASM is a complex system, It will need third party data such as shodan/censys etc, If easm team desided to built it himself, It would cost more. (this is why they are be able to devlelop a good ui).
- For Open EASM. We move fast, and no revenue pressure. It’s a very import advantage for the project. Not the UI or interactive logic. If the project got some fundation, I think it would be easy to hire a frontend end engineer for build it. But before it, We must forced on the real thing we want to do and the real problem we want to solve.
So I will force on the agorithm development and suspend the new web tech learning (such as Next.js / react / tailwind…)
Let’s wait for the first demo.
The easter egg
I found ring0’s ASM has a domain named openasm.net. And our openeasm is openeasm.org (Registed some month ago,no web page due to time reason).