Detectify, the SaaS security company powered by ethical hackers, today announced the general availability of Ugly Duckling, a stand-alone application security tool specifically tailored for ethical hackers to make it easier for them to share their latest findings.
Finding web vulnerabilities as soon as they emerge – before attackers exploit them – is critical to stay on top of web application security. The Ugly Duckling speeds up the incorporation of vulnerabilities found by ethical hackers into automated security tests on Detectify’s platform by giving hackers the tools to create more test modules independently.
Upon finding a vulnerability, the ethical hacker can write a module as a JSON file and test it out in Ugly Duckling, to validate that it works. Detectify then implements the JSON file on their platform, scaling the quality-checked findings to thousands of application owners and security teams.
Using Ugly Duckling, vulnerability findings can run live as security tests within 5-10 minutes after they have been submitted. It’s a win-win: security and engineering teams can stay up to speed with the latest exploitable vulnerabilities found in the wild, while the ethical hackers can get paid faster.
Ugly Duckling uses a custom JSON-based template format to describe the vulnerabilities. It detects “stateless” vulnerabilities, i.e., vulnerabilities that can be identified with a single HTTP request, analyzing the response that comes back.
Detectify crowdsources the latest security research from ethical hackers and delivers it to security engineers and application owners as payload-based tests, enabling them to continuously scan their applications for vulnerabilities.
Pricing and Availability
The Ugly Duckling vulnerability scanning tool is open-source and MIT-licensed on Github. Consistent with the company’s belief in approaching security in a collaborative way, the Ugly Duckling web scanner is not exclusive to ethical hackers in Detectify’s Crowdsource network, but available for anyone to use for bug bounty hunting, security research, or penetration testing.
Comments on the News
“Vulnerability research is often a time game. With Ugly Duckling, we can get quality-checked research from our hackers sooner, allowing for more vulnerabilities to be released as tests before the vendor has patched them. This means better protection for customers and higher payments for the hackers,” says Tom Hudson, Security Research Tech Lead at Detectify.
“To build safer web apps, security needs to be a collaborative effort, and knowledge about it needs to be accessible. The stand-out feature with Ugly Duckling is that the code is simple and MIT licensed, so you can use it as a jumping-off point to build your own custom scanner,” continued Hudson.