The security of your package manager is very important to us at appcanary, and it’s important to make sure the packages you’re downloading are secure in transit.
Back in the summer of 2014, I discovered that Maven Central wasn’t using TLS or any signature verification when serving up java packages.
I gave a talk at !!con 2015 about what I did to help convince them to start using encryption.
Dear friends,
tl;dr We launched Appcanary, we’re shutting down Gemcanary Dec 31st 2015, we have great plans for the future, we love you.
We’ve been busy. We got to spend the summer in sunny California attending Y Combinator. We learned a lot, it was well worth it.
During the summer, we launched the first version of our product, Appcanary. We help companies to track the security of the software components they rely on. Simply run our agent on your servers, and keep tabs on the packages on your systems. It’s pretty cool! There are a lot of moving parts.
In the meantime, we courted a small cadre of investors who believe in our ideas about the future. We’re pretty excited for what we’ll be able to do over the next couple of years.
We also released isitvulnerable.com. It’s a free tool that lets you drag and drop your gemfile and check for vulnerable dependencies.
Once, we even managed to go to the beach.
In a nutshell, we want to change the way software and operation engineers engage with security. Right now people largely don’t, or have to deal with lots of snakeoil. It’s hard to know what to think. We think we can drastically improve how we keep our systems safe. We have lots of things to share with you soon!
For now though, we’d like to announce that we’re sunsetting Gemcanary, the free, Ruby-only, Github-only service we created in 2013. The service will shut down December 31st, 2015.
We started Gemcanary all the way back in February 2013. Things were different back then; we ran a fledgeling consultancy, Edward Snowden was about to book a flight to Hong Kong, and Heartbleed was still hidden away in our openssls.
We’ve since spent a lot of time breaking and building apps. We became a real startup. And, frankly, we think our customers will be better served by not requiring such tight integration with Github.
If you enjoyed the service, you’ll be happy to note that we provide the same value and more via Appcanary. While Gemcanary could never tell you about Heartbleed, Appcanary will let you keep tabs on all of your infrastructure’s dependencies.
Regards,
@phillmv and @mveytsman. Comic by Nick Wolfe.
In 2015, building web applications involves more moving parts than ever before. The average web app depends on the interaction of hundreds of distinct open source software libraries.
The easiest way to hack someone is through publically disclosed vulnerabilities they never patched.
Due to a variety of technological but mostly social problems, it is really time consuming and expensive to find out about new vulns that affect us and keep our web apps patched. We mostly rely on email, twitter and hacker news as distribution channels.
This sucks.
We’re going to fix this. There’s no reason anybody should be running vulnerable software.
Visit our page to find out more.
Sincerely, @phillmv and @mveytsman.
