CoLiOS: Corpus Linguistic Open Source
Eurolan Summer School: Natural Language Processing goes Industrial
Hack a Server: Crowd Source Audit Platform for Manual Penetration Test
His favorite quote is “Simplicity is the ultimate form of sophistication.” Leonardo Da Vinci.
Sudhanshu Chauhan: What is Hack a Server?
Marius Corici: Hack a Server is a startup that represents a brand new approach when it comes to manual penetration testing. It’s a platform where administrators and developers test their servers and web applications for flaws and vulnerabilities using the power of crowd sourcing all covered by anonymity and confidentiality. It’s a platform where you as a CTO, Sys Admin or Web App Developer can deploy a server in under 3 minutes and start receiving reports about your system’s vulnerabilities.
SC: What’s the vision behind HaS?
MC: One day I got the idea of a marketplace that brings together companies concerned about the security of their IT&C infrastructure and ethical hackers that can help those companies discover their security flaws. It seemed a great idea since the companies got to pay less, find their vulnerabilities faster (and more accurately) and the hackers got paid for what they love most: hacking servers. Well here we are, Hack a Server is now an affordable alternative for small and medium sized companies looking for manual penetration testing.
SC: Previously you have been involved with various industries, what led you to Information Security?
MC: Yes I’ve been involved in different industries and now I am into InfoSec. I’m a serial entrepreneur and that’s what entrepreneurs do. I had the idea, I loved it and I’m willing to do my best to make it happen. Add up that I love challenges and doing things considered hard or even impossible to do, and you will understand why I am getting more and more involved in InfoSec.
SC: Who is on the HaS team?
MC: We worked with a lot of different people, but it seems like just a few remained constantly engaged in the workflow. Marius Chis (http://www.linkedin.com/profile/view?id=63665028) is the CFO and the first investor of Hack a Server, also taking care of all our paper work and legal documents. Andrei Nistor (http://www.linkedin.com/pub/andrei-nistor/54/91b/641) is the CTO and the one who did the most of the coding part, based on team members and testers feedback. He worked day and night to get the project working flawlessly. Alex Constantinescu (http://www.linkedin.com/in/constantinescualexandru) is the marketing and communication specialist, taking care of our positioning, communication and marketing strategy.
SC: Is HaS only for professional hackers or any one with the skills can utilize it?
MC: The short answer is yes, anyone with strong hacker skills can utilize it, Playground Arena included if they pass a practical exam to prove us that they really have those hacker skills.
The Training Arena and Exam Arena can be used by anyone, free of charge with or without hacker skills whether they are pentesters, web application developers, CTOs, Sys Admins. The Playground Arena on the other hand is serious business because reports are getting paid for, that’s why it’s addressed only to those pentesters who have passed the exams (in the Exam Arena) and become Hack a Server certified hackers (regardless of previous experience).
SC: What is the difference between Training Arena and Playground Arena?
MC: The Training Arena’s main purpose is to get users familiar with the Hack a Server environment, it’s available to all users and it is used like a sandbox. You can build or try to hack other’s systems for free. That means no matter what role you choose (building systems or hacking into other’s systems), Training Arena gives our users full experience of how things should happen in the main arena, Playground Arena.
The Playground Arena is similar to Training Arena only it is used for real business. In Playground Arena everything gets serious. No more trivial or sandbox hacking. Here, in Playground Arena only the best pentesters have access. We do want to be sure that companies, CTOs, Sys Admins, DB Admins, and Web Apps Developers, whenever they will pay and receive a Penetration Test Report, it will comply with the Penetration Test Execution Standard (PTES). This is the reason why we have our own Penetration Test Exam. As a system builder (not pentester) you get access instantly when you deploy your system into Playground Arena. Hacking and getting paid for it, it’s available to the users that have passed the Exam Arena tests and become Hack a Server certified hackers.
SC: What is a HaS certificate, what is the procedure for one to attain it? Is it a substitute for other hacking certifications in the market?
MC: No it is not a substitute for those worldwide recognized certifications. You see, we do want to keep our users’ anonymity safe and for that we don’t ask them who they are or what other great certifications they have. This is the reason why we test them. No matter who they are, they just have to prove us that they can conduct well-documented penetration tests in order to help companies that test their systems/applications.
If they already are a certified ethical hacker, they will find this exam an easy to medium one which would make us happy.
The HaS Certificate is a hacking certification available only for Hack a Server users that proves the one attained it is ready to enter the Playground Arena, where the paying customers are. To get a HaS certification, the user must enter the Exam Arena and follow the onsite instructions (basically hacking a few servers and filling pentest reports). That the HaS Certificate can’t be considered a substitute for other hacking certifications, is our way to ensure that they do a great, high standard professional job.
SC; How is HaS better than other conventional Pentesting Services?
MC: Here we have to draw a line before I’ll answer this question. HaS platform will never ever be a substitute for penetration services. By contrary it completes those services. Out there are companies (financial or strategic) and government institutions that by law must have periodical security tests, tests that must be conducted by authorized penetration test companies. This is their role and job and I’m pretty sure they do a great job. But also out there are companies that are not forced by law to get those authorized security reports and they still need such tests and moreover, they don’t have big budgets. Outsourcing companies that deliver web apps is an example. Startups are another example. Startups have two major issues: Security and Scalability. HaS can take care of security.
The advantages for using HaS are: the project harvests the power of crowdsourcing, the penetration tests are faster (1-7 days instead of 2-4 weeks) and cheaper (50-5000 EUR instead of 20000-50000 EUR), 100% Black-Box Testing, 0% Production Server Expose, 100% Anonymous, 0% Risk when trying Different New Configuration, and advantages can continue. I’ll stop here.
SC: Who are the potential HaS customers?
MC: Although we target small to medium sized companies, our product can also be used by individuals, big companies or multinational corporations. For example, big companies that develop WAF (Web Application Firewall) software can use our platform to get a real attack using CTF (Capture The Flag) option, the same with companies that build security applications. They’ll figure out one day that using the power of crowdsource will help them a lot faster, easier and at a fraction of the cost. Practically anyone who wants to test servers for vulnerabilities is welcomed to try out www.hackaserver.com. Look at Google, Facebook, Twitter, PayPal or eBay. They all use the power of crowdsource to test their product for flaws and vulnerabilities, same here.
SC: What are the features provided by HaS?
MC: Training Arena gives our users no matter what their role is (pentesters or system administrators, web apps developers, CTOs, etc.) a space to test and experiment for free what HaS is all about, before making a decision whether or not to use our platform.
Exam Arena gives pentesters a possibility to get access to Playground Arena where they will conduct real penetration tests and get paid for their work.
Playground Arena is the place where companies get professional penetration test reports for their system.
Hall of Fame is the place where best of the best will have their nickname on top whether they are pentesters or system administrators.
SC: What are the benefits of the platform for students undergoing any kind of Information Security training?
MC: Students who are learning about information security can use the HaS platform to test their knowledge in finding vulnerabilities and also in securing servers. Passing the Hack a Server Exam and learning from our tutorials how to complete penetration tests will give them the possibility to increase their income. Configuring and launching servers in the Training Arena without having them compromised is a reassurance of their skills in computer security.
SC: Does HaS also provide any kind of security training or have plans to do it in the future?
MC: No we don’t, and we don’t plan to do it. Instead we will encourage our pentesters to better train and learn from sources like InfoSec Institute and others around the world. Those institutions do train ethical hackers and they do it very well. We intend to remain a market place for pentesters and companies that want to test their systems fast and at a fraction of costs.
SC: What are the challenges you are facing right now?
MC: In this kind of startup (marketplace) usually the biggest challenge is to hit the critical mass of users. Another challenge is to get HaS in Beta Public, right now being in Alpha Stage.
SC: How do you plan to evolve the platform in the future?
MC: We have big plans for Hack a Server in the future, such as including the possibility of pentesting an entire network using the platform, not only one server. But until then, we want to focus on usability and user experience. We want to make Hack a Server a user friendly place.
SC: What advice would you give to the security professional who wants to be an entrepreneur?
MC: I have this saying: “Get a problem, find a solution then built a product“. There are lots of problems in InfoSec industry and all the problems have a solution somehow. If you find a better solution than the existing one that would reduce cost for companies and improve their security, then you can start building your product.
Go get it right now! Get noticed! Speak with/meet people, ask questions, get answers, ask questions, get more answers, keep only what is meaningful, keep it simple, team up with the right people and make it happen! This I have done with HaS.
If somebody that read this article wants to start a project they can contact me and ask me. I would be happy to help.
