A story of curiosity, experimentation, development, million euro deal, fraudsters, abandonment and revitalization.
From the inception of the F/OSS Arachni WebAppSec scanner to the opening of Ecsypno’s doors with its flagship product Codename SCNR.
Inception
Around 18 years ago, after building a F/OSS security tool called FIS (File Inclusion Scanner) for the PHP programming language and written in PHP itself (which first performed rudimentary static analysis of a PHP file and then moved on to DAST) the idea of WebSpidah occurred to me (also written in PHP), which would DAST scan web applications from a Metasploit-like console environment.
Soon after developing the WebSpidah user interface, I noticed the existence of W3af, which was an identical but existing project built in Python.
After that, efforts for WebSpidah stopped, as I figured it would be redundant in the F/OSS space.
However, I still felt curious about DAST, and the way I’ve always solved my curiosities was by starting a project and experimenting.
After the announcement from the Metasploit project that it was rewritten in Ruby, the language came to my attention and a curiosity started to develop about Ruby as well.
Just before my MSc Information Security studies at the Royal Holloway University of London, I found myself with a free summer period.
I was unsure about whether or not I would be accepted, and when I would start if accepted, so I couldn’t commit to a summer job between studies, like I used to.
What better way to spend that summer then, I thought, but by exploring DAST via starting such a project in Ruby, killing 2 curiosity birds with one stone.
Work on Arachni – Web Application Security Scanner Framework thus begun under the GPLv2, primarily as an educational exercise for myself.
Announcement
The founding of Arachni was announced on a WebAppSec mailing list whose name currently eludes me.
I remember asking the community for suggestions and things they believed were missing from F/OSS projects and commercial products alike.
I received encouragement, great feedback and met great people, although I also got responses such as “give up now that it’s early, companies have gone bankrupt trying to do DAST properly” or “go contribute to an existing project” – also valid answers to some extents, but this was an educational exercise for me, so I wasn’t dissuaded by what one could call “negativity”.
As such, I carried on and started playing around with Ruby and its multitude of APIs and 3rd party libraries (GEMs as they’re called), to familiarise myself with what’s available to me.
Spread
Within a few months of trial and error I had something working; the prototype was operational and could do it’s job well enough that people started using it.
By the time I was a few months into my MSc studies at the Royal Holloway companies had started using it for SaaS services.
One company would even pay me to arrange my TODO list according to their priorities, which was fine by me.
Distributed capabilities such as remote agents and XMLRPC were added that way.
However, something fishy was going on with how that company was ran, which would be made clear years later. You see, I also heard promises of leading my own department within mentioned company once I graduated, and other sweet nothings to my ears – nevermind that for now though.
Arachni was tracking really well in the field, and I was a happy and proud founder, it was my first big project and it was becoming a success.
I would get feedback from people using it to check infrastructure, ministries, universities, banks etc. as well as legends in the field.
(It was around that time I think that I switched the license to Apache License version 2.)
I still remember getting an encouraging email from the legendary HD Moore (creator of Metasploit, amongst others, back then – now founder and CEO of runZero) and calling to my roommate to see who had contacted me, in full excitement!
That was a good day!
I would also get job offers from established DAST companies out of nowhere, with positions waiting for me upon graduation, that was nice as well.
Another offer that was unfortunately for a project which didn’t come to fruition was from the legendary Mark Curphey (the founder of OWASP and a string of successful companies) to collaborate on a F/OSS AppSec book, backed by one of the biggest tech publishers out there. Sadly, after writing my part the project fell through, it could have been great – my part was about the inner workings of DAST.
MSc thesis anecdote
Can you guess what subject I chose for my MSc thesis?
Correct, the inner workings of DAST.
Since I had done all this work on Arachni, it seemed like a waste not to take some academic advantage of it.
The funny thing was the sort of academic predestination I got to pull off, as I would reference my own code as a subject matter authority throughout my dissertation.
Funding
There was none.
I would skip class to work on Arachni and remember only attending my MSc studies 2 half times.
The rest of the time I would maniacally work on Arachni as well, one time to the point of dehydration.
With regards to funding, it was all out of pocket.
Luckily, some time after university, HD Moore approached me with a great job offer about working at Rapid7, to some proximity with him and to close proximity to the Metasploit and Metasploit Pro teams.
I immediately said yes and took up the role of Senior Web Application Security Engineer, being responsible for the DAST part of Metasploit Pro, which was the only DAST available at Rapid7 at the time, and Metasploit’s web application exploitation features.
Really cool people, great salary, big plans about how we could progress, a great future seemed to be shinning brightly ahead for both me and Arachni.
Planning to eventually move to the US as soon as my work VISA was sorted, I didn’t spend any of my salary, because there was nothing to spend it on – didn’t make sense to buy things like cars as I was to relocate in about a year’s time.
Sadly, after a year, things didn’t work out.
A lot of work needed to be done on the existing DAST product with a lot of changes needing to be radical, management had changed and so had my salary and word of PRISM came out.
Thus, I remained in Greece, with about one year’s salary in my pocket and out of a job.
Arachni v1.0 – JavaScript and DOM support
Luckily, I was determined to continue with Arachni and that salary would allow for me to try a sink or swim giant leap in technology and competitiveness, and that was for JS and DOM support, incorporating a full browser environment in Arachni.
Things got serious with that move, so a license change was also warranted in order to ensure future funding for the project; basically, the code would remain open, Arachni would remain free for pentesters, but SaaS and OEM would require a fee.
The license would at that point be non-F/OSS and Arachni would reach v1.0.
Post-v1.0 anecdote
v1.0 was ready, although a lot of fresh code had been added, and that necessarily means new bugs.
At that time, there wasn’t a lot of DAST SaaS going on that supported JS/DOM and I was looking for a win-win scenario to propose to someone.
It occurred to me, I could license Arachni to someone exclusively for a year; they would get a competitive advantage and I would get some much needed real-world feedback, along with some funding.
I then remembered that SaaS company with which I had done some business while I was in uni, the fishy one, as it turned out.
I emailed my proposal, made clear that my proposed price would just be for a single year of exclusivity and then I’d let the market decide as I’m also trying to gather data about where I stand, technically and business wise.
(I’d rather not mention the price, but it basically was a senior security engineer’s salary for a year – I figured that would sustain me to move forward.)
Past that, I got the most nonsensical, pseudo-emotional response one could get in that situation, in a clear way to manipulate me towards the dumbest of outcomes.
The outcome was hiring me to lead the SaaS team, but in order for that to happen, I had to sign over ownership of Arachni to them.
Huh?
I was unreactive and became disinterested in anything having to do with them, so I pressed on with my own goals about my project.
I released v1.0 into the wild with its new license and hoped for the best.
The million euro deal
Within a year, a well-known company in the field approached me, they had big plans and quickly needed a DAST component to supplement their network/host scanning offering, in order to have a more comprehensive product line.
The initial idea was for a simple license, but after a year of negotiations, an agreement that would basically give them a copy of the Arachni code to do with it as they pleased seemed to solve all our problems.
That agreement was struck for the milestone price of 1,000,000 euros lump sum.
After a decade of hard work, I felt like I could breath freely and take some time off to decompress.
Decompressing with Rust
Soon after I relaxed from the gruelling period of working on the deal, I got the idea of turning to Rust as an optimization for the resource intensive components of the Ruby DAST process.
Preliminary experiments were successful and Codename SCNR was born, but more on that later.
The Balkan fraudster accountants
So, I had a paper with a large sum of money on it, but didn’t have a company, accountants nor lawyers.
The pressure was still immense and I had noone to turn to.
Previous encounters with lawyers were horrific and expensive, with contracts that however belonged in the bin.
As luck would have it, an accountant I’m my hometown was referred to me, so I figured it wouldn’t hurt to consult with him.
What I heard was that I better turn to neighbouring Bulgaria if I wanted to personally retain any reasonable amount from that deal, as taxation in Greece was at that time prohibitive.
With the above in mind, I founded Sarosys OOD in Bulgaria in order to handle the deal.
Long story short, money would move to bank accounts that it shouldn’t have. Things were left unpaid that should have been paid, and people would take orders from people they had no business taking orders from with regard to my company’s resources.
The Bulgarian accountants then disappeared with around 50,000 euro of my hard earned money and a sob story coming from the accountant in my hometown who used to swear by them.
After the above, I decided to stop using Sarosys OOD for business, as a lot of paperwork was found to be unsuitable as well.
To move forward, Ecsypno Single Member P.C. was founded in Greece by well-respected and highly professional people, lesson learned.
Ecsypno and Codename SCNR
Older, fatter, balder but wiser, I’m moving forward with Ecsypno and its flagship product Codename SCNR.
Codename SCNR is the commercial successor to Arachni, incorporating over a decade’s worth of R&D experience in DAST.
Partly written in Rust, with amazing audit scheduling and webapp behavioral analytics, it is a huge leap forward from Arachni.
Approachability and affordability were must have attributes, as were coverage and performance.
The Codename SCNR editions have the best marriage of low pricing and high-tech out there.
From a free Community version, to affordable Enterprise scanner grids, we’ve got you covered.