Birth of Vulhunter & It’s Retirement Goodbyes…
Short story of the developer who worked on Vulhunter,
I graduated with Bachelor of Computing in August 2012 from Swinburne University of Technology and I was very fortunate to get full-time work with my first employer straight after my graduation. The day I joined the company it was very overwhelming experience, people were throwing jargons around which I had no clue what it meant. Although, somehow I saw that as a positive sign, I like to work with people who are smarter than me, it helps me challenge myself to learn something new every day.
Day one started, I was standing near a coffee machine and the CTO of the company walked up to me and asked me (Usual Hi and Hellos…followed by…)
“Kru, what would you like to do on your first day? Do you want to start with something trivial or you would like us to throw you into the deep water.”
I went into complete silent mode and then answered “…errrmm, deep water will be great!..” I had no clue why I chose that option. Maybe I wanted to impress him by taking harder challenge. Now, I look back and think it was the best decision I made and since then I have always liked to throw myself into deep water with challenges.
It was a small start-up company with 6 employees excluding me, I didn’t count myself as part of the company until my probation period got completed (The fear of being new and wrong, I guess ;) ).
Since, it was start-up & I joined the company as a fresh graduate who will adapt not only one job profile but become a fluid which puts itself into to any jar and gets its shape. It wasn’t easy, I did mistakes every single day for months. I used to get asked to spin-up EC2 servers and install MAMP stack etc. I use to just say yes without knowing anything about it and but then go back to my Mac and start figuring out how to get things done. I wanted to be an iOS developer, so I had paid limited attention to how server can be setup during my academic years…Deep Water, Indeed. Lets fast forward a little to an incident which became a key phenomena for idea behind Vulhunter.
The day we got attacked…
It was sometimes in january 2013, one of our application server showed some unusual log entries. It was list of Non Australian IP addresses trying to bruteforce us and looking for vulnerabilities on our server. The CTO of the company was very proactive, he asked me to list all the different packages we have installed on the machine, specifically packages without using yum package manager. One of the package was ffmpeg utility (we installed older version of ffmpeg manually in order to support some old deprecated functionality (bad….very bad! Guess what it was client’s requirement. )). I looked for latest version or security patch and started updating all the packages in staging server for test. Luckily, ffmpeg’s latest version supported the old deprecated functionality and it was all ok for us to update to the new version. We made sure we patched and updated as much packages as we can so that attacker cannot exploit installed applications on server.
After the hectic day finished, I went home had dinner and start looking for tools which can send me notification on phone for vulnerabilities related to the packages I have installed on my server. Unfortunately, I couldn’t find anything.
The idea striked!
It was about mid-2013, I had this crazy idea to write my own app. Not only iOS application but starting from design to deployment into AppStore, in short end to end development.
- Wire Frames
- Designs using application like Sketch
- Architecture Design (EC2, SQS, SNS, S3 and VPC)
- Backend API design and deploying on EC2 server (Symfony 2)
- iOS Application (Objective C)
I named it Vulhunter, I registered the domain name and started looking into best practises across the technology stack I was going to work with. In short I was in 0.10% in MZ Zone, The zone I called was MZZ (Mark Zuckerberg Zone).
Six month later, I launched the app into the AppStore. It was my first app and I was very excited.
The Vulhunter app alerts you to known vulnerabilities in software installed on your server. You create a personalised list of software packages installed on your server, and Vulhunter notifies you of vulnerabilities as they are discovered and published in various sources, including the National Vulnerability Database (NVD). Also, it gives you access to security news feeds, community blogs and other sources of security information.
Vulhunter cannot protect against Zero-day attacks (unpublished vulnerabilities), however it will alert you to existing known vulnerabilities and new vulnerabilities as they are published in the global security community. Features — Latest twitter feeds containing Network Security related information. — Most recent official CVE feeds with beautifully crafted UI for ease of use. — Profile page to select software packages you have installed on your server. Key Features
- Latest twitter feeds containing Network Security related information.
- Most recent official CVE feeds with beautifully crafted UI for ease of use.
- Profile page to select software packages you have installed on your server. This way we can send you push notification if selected packages has been reported to have vulnerabilities from our sources.
I would like to say, Vulhunter lived a happy life. It was targeted specifically for server administrators and sole developers like me.
- 8000+ downloads.
- 300,000+ notifications sent to alert about vulnerabilities.
- PHP was the top most package which needed frequent alerts sent to users.
I had few testimonial coming in from USA and Spain regarding app is a great idea, but user interface is pretty shit. ( Which was understandable :D ).
It was time to say good bye,
As always without any marketing the app started to lose it’s touch. I got too busy learning and working on full-time work projects. I never got enough time to bring Vulhunter to the next level. Although, I had attempted to start version 2.0 but full-time work always got first preference and I had to back off.
All these leads me to today, I have started working on my new side project and I have decided to take the plug off Vulhunter. Just to divert those server cost to my new fresh idea. Also, there were not many sessions online on Vulhunter in last 6 months. I am very sorry to those who still uses my old 64 bit incompatible app (chuckles!), You guys are awesome!
Thanks for downloading and enjoying Vulhunter App
The idea is still great and relevant, I would like anyone with deep pocket to take this idea and make it a better one, I expect nothing in return. I will still remember those sleepless nights I spent in MZZ to convert this idea into reality. I made it and now something better and new will take place of it, Hopefully!
Please do get in touch with me on Linkedin with any question regarding implementation and data parsing of NVD files. Alternatively, you can connect with me on @krutosh twitter.