I am happy to announce a new scanning API for golem security scans! All subscribers get this automatically now as part of their plans. This allows customers to embed scanning functionality into their products and services with a completely custom feel and pricing. Customers can even replicate the Golem functionality completely using our scanning technology on the back end.
Pricing is simple - the API uses scans which come with our plans automatically. Going beyond the number of allowed scans incurs a small $5 charge per additional scan, automatically billed, so there is no hassle about accounting for the total number of scans remaining. 
Happy scanning!

I had just finished college and was working my first job. I had control over a suite of customer applications. My manager was tough as nails. Quick to shout, slow to praise, and I was a little bit scared of him. He wanted some enhancements to the customer portal yesterday, and I had only just started today. My predecessor had left without leaving anything in the way of documentation behind, so I had to scrape the bits and pieces together into something coherent.

To learn the application, I started using it – both as an admin (company employee) and as a customer. I didn’t have a lot of security training at the time – I had a couple of security courses from university only – but I was a bit of a hobbyist.  The enhancements were handed to me by the development team with a promise everything was right – but all I had to go on were a 100MB file of zipped emails between the various stake holders from the past year. I learned that the main enhancement was new functionality allowing online customers to login, and view their invoices and pricing agreements.

If you have never worked in old school manufacturing shops with regional sales offices, you may not have an understanding of how pricing works for them – every customer gets different pricing based on a number of factors – and every sales person gets a different price book too. Pricing was considered highly secret to everyone but senior management, who set the pricing book once a year and then lent it out. Sales staff guarded their pricing religiously, from customers and each other. One of the main requirements of any system which worked with pricing was tight access and data controls around setting and viewing pricing information.

So when I was testing the customer side, and logged in as first the largest customer, then the second largest customer, I noticed something interesting. Invoices could be viewed as PDF documents, and they were viewable by invoice number in the URL. Orders which happened on the same day sometimes had sequential numbers, so I guessed that the invoice numbers were generated sequentially. When opening an invoice, the invoice number was passed into the application. The URL looked something like:

customerportal/viewinvoicepdf.asp?invoice=123456

If you punched in “123457” instead, a different invoice came up. Guess what? As the second largest customer, I pulled up the largest customers invoices after guessing a few numbers. Pricing and all.

I was scared of my boss. I knew this had the potential to delay migrating the code out to customers. I told him anyway. I showed him what I could do. “So what?” he asked, “What are the chances of someone doing that? Release it now, and then fix it and patch it. How long will that take?” Well it ended up taking 3 months to fix with all the back and forth with the shared development team and the various controls around code promotion.

In the end, system went live with the security issue, and stayed that way for 3 months. I never found out if it had been used by customers or salespeople to view private information or not.

Update 1/18/12: This post received a lot of attention. More than I would have thought. It is written in a negative tone, which is perhaps not the ideal way to communicate this. Although many job seekers disagree with the sentiments expressed, I have had dozens of hiring managers and recruiters reach out to tell me they feel the same way. Although the tone may need some work and people may not like it, the point of the article is that what most people do to get jobs isn't working, and their attitude should change accordingly.

Update 1/20/2012: To those who believe this is not realistic, see a job posting for a software engineer which references this article:

"...We have an energetic and inspired team and have an immediate need to add like minded people to our group. Prior to applying, you are encouraged to read the blog post below. While not authored by us, it's a pretty accurate and candid description of our interview thought process: <link here>"

I will be very honest with you in this post. Most interview articles only show obvious mistakes, as if most people don’t know showing up late is bad form. I will tell you the things I didn’t really know about until I was the one interviewing, and interviewing for a variety of positions and person-types. No interview prep article ever prepared me in the right way for how interviewers really think. That is what I will be sharing with you today.

When you first walk in to my office, I am expecting you to be one of the 99%+ people who I know I won’t hire in the first 5 minutes. I am hoping I will be proven wrong, because I really want to hire you and be done interviewing. Unfortunately, most people looking for jobs don’t deserve them. Here are the most common ways I know you don’t deserve any job I have to offer.

You send me a stupidly long resume

If I have to spend more than 30 seconds finding out what you have accomplished, forget it. You have annoyed me. Somehow, since resumes went digital, people feel like they can cram in 10 pages of boring essays talking about this achievement or that role, and expect me to read every juicy word. More likely, I will ignore the whole thing, write down in my notes “poor communicator”, and move on. If you have a good set of skills or something catches my eye, you might still get an interview, but I’ll still never read the resume. And you had better be a better communicator on the phone or in person.

Think about it this way – the resume items communicate to me your past successes in a (supposedly) succinct manner. If you can’t nail it in one sentence, do I really want to look forward to your rambling emails every day? If I can’t read your resume, it doesn’t bode well for your emails, and I get enough of those in my inbox as it is.

To craft a great resume, tailor it to my job posting. If I have a skill set in there like “Windows Administration”, make sure you have at least one bullet point talking about success in a project where you used that skill. Make the bullet no longer than three sentences. One is better. I am likely to read one sentence. I might read three. More than that and I won’t even know what you wrote there. You wasted my time and your own.

You can’t tell me why you like your current job

I always ask people what they like most about their current job before I get into any details about a role. Why? I want to see if you’ll be happy working in this new job. If you can’t tell me anything you like, or you tell me something you like but it sounds really generic? Then forget it, I have no idea what you want to do in life and you probably don’t either. Come see me when you know what you want to do. I would even be happy with something like “Well, this job doesn’t enliven me, but my last job, I loved doing XXX every day, and man, I miss that. It looks like this role will let me get back to that.” Let me know you're passionate or don’t waste my time.

The worst answers? “Well I like the challenge” or some other BS. Don’t BS me. I have a super BS detector, and most other interviewers do too. The worst BS is the kind where more than 50% of candidates say the same thing. If you can’t be original about what you like about your unique job how can I expect you to be creative working for me?

If you have a generic answer like you enjoy learning, the challenge, helping customers, that can be alright. Just sound excited when you talk about it. Give me an example of a time when you got really fired up about it. I don’t mind if it doesn’t relate to the job I am interviewing you for, though that helps. Just expect me to ask why you think this job will give you the same passion – and have a good answer ready. Really, why else are you applying if you don’t know this?

No career plans or vision

When I ask you what your next role is going to be after the one you’re interviewing for, you had better have a good answer. Everyone should have a story about why you want to come work for me, in this specific role. If you can tell me how this role helps you accomplish your long term goals, I’m much more likely to think you’ll be happy here and work hard in the job. If you just want a job, why should I care? Someone else will come to me with their vision. Eventually.

A good answer is a well thought out vision. You should have that anyway. Here is a good example: “I am looking to move away from working in my current small company to a bigger company with more career growth and opportunities. I want to rise to an executive level in the next 10 years, but my current company is too small to allow me to stretch effectively in that way. [This role] builds on my strengths in communication and project management, and will help me grow as a leader and improve my influencing skills. In a few years, I would look to becoming a senior manager…” and on with how this role fits into your life vision.

No Skills

Please, don’t bother applying if you don’t have the required skills. I will know. If you’ll be programming, expect to program in the interview. And program well. If you’ll be project managing, you had better be able to tell me about the right way to build a project plan and project vision. I’ll probably even describe a project and ask you to build a plan right there, with me. Just because the title has something in it you vaguely think you can do, if you don’t meet the requirements, please don’t waste my time. I might be ok if you are up front with me and tell me you want a career change and are willing to take a more junior position to learn. I might take a chance on you if everything else is solid. But tell me that in your resume so we don’t waste time. Yes, telling me that in your resume improves your chances of getting hired, even if not necessarily for this job or winning an interview. I won’t claim this is true for all interviewers, but it is true for me.

It’s about setting expectations. If you come in, and my expectation is, for instance, that you know Unix administration, and then you tell me “Well, I read a book and I really want to learn it”, no, I won’t like that. If instead you put in your resume an objective line “Looking to grow skills in Unix administration from a project background”, now we are on the same page. If I don’t need an expert right now, maybe I will invest in training you since you have the vision and self-motivation. Oh, and describing what you are doing to prepare is also good, even if you don’t have on the job experience. See how the expectation can change my perspective? Give me happy surprises, not unhappy surprises.

Answer my questions with conjecture

I will test you in a lot of ways. I will ask you to describe a lot of situations – where you failed, where you succeeded, what you would change, what you hate and what you love. Don’t sit there and tell me what you would do in the future. I didn’t ask what you would do, I asked what you did. If I have to wait for you to finish talking, then say “Could you give me a specific example where you did something like that?” Then you have failed to answer my question. If I ask for an example, please give me one. If you don’t have one, that’s ok, tell me you have never been in that situation, but you have some ideas if I would like to hear them. Yes, I probably would like to hear them, but I might also have another question with different examples I would rather know about.

If you don’t think well on your feet, spend some time reading through and practicing situational interview questions. I won’t ever use one I see online, but it will help train your mind to answer, and give you fresh memories to draw from. I also don’t mind when a candidate pauses to think. I will wait. I know everyone has different styles of thinking and responding.

How to Win the interview

I think it’s pretty simple. I look for a few traits in people I am going to hire. If you are missing even one, I’m probably going to pass you up for someone who doesn’t. Do your best to show off these traits and you’ll win. This is true in every case, from hiring a janitor to an executive.

1. Show me you can get things done. This means you can accomplish challenging tasks quickly, come up to speed when necessary, go the extra mile if you have to, influence peers. You must be self-motivated.
2. Show me you are intelligent. I will ask you questions that are designed to make you think. Show me you can. Don’t confuse intelligence with education. I don’t care what kind of schooling you had, if you can’t think, no job. If you can think, and aren’t educated, no problem in my book, though I’ll probably look for more experience instead.
3. Show me how I fit into your vision. Truthfully, we’ll work best together if you think this job is the best place for you to be right now. I want to help you succeed in your career, let me.
4. Be highly skilled. Unfortunately, I don’t hire awesome people who don’t have the right skill mix. But I do keep their information around for when I need their skill mix. I also tend to recommend these people to others who are hiring as strong candidates. The skill level required to be hired depends on the job and expectations. Entry level can get away with rough skill sets or classwork. Senior needs to be top of the field, regardless of years in the workforce.
5. Be Passionate. If you are bored working in a similar job somewhere else, you’ll be bored with me. Period. I don’t want any of that.

The End

Most of the stuff I am talking about here has nothing to do with Golem Technologies, but more about what it is like to hire in the first place. There are so many articles out there with bad advice for both those hiring and those trying to be hired, I wanted to inject some raw honesty into the equation. If you are looking to hire people, then I would recommend you use my 5 points above to screen people. As for me hiring, no, I am not currently hiring, so please don’t ask me. When I am hiring though, and if you happen to apply, the above is the criteria I will use to decide.

This is true across business functions and across companies. The people who have the stuff I listed to win the interview will get jobs they want consistently. If you are lacking something, then figure out a way to get there. Just having a plan puts you ahead of 99% of job candidates. I also like giving people a chance whenever they let me, as long as I have the flexibility to do so. So far, I haven’t been disappointed.

Do you have hiring war stories (interviewer or interviewee)? Share them in the comments!

Today marks a major shift in how I do business with Golem Technologies. In the months since I launched, I have enjoyed a spike in sales, a lot of wonderfully positive feedback from my customers, and modest growth in both sales and search traffic. You have told me you loved my scanner, raved about how simple and easy it was to use, told me you never expected such great customer service for the price, and told me stories about how the scanner helped stop hackers repeatedly defacing your sites by finding the root causes and helping you close them.

The past few months, this site has scanned a celebrity’s personal website, several banks, startups, businesses, IT departments, blogs, and hundreds of other sites.

Unfortunately, it wasn’t enough to really sustain the business in the long run, and growth has not been sustained.

Many of you have been in contact with me over the past few months about what you wanted me to offer. Namely, the ability to have more control over when and how you scan websites, the ability to become a security consultant using the Golem tool and offer white label reporting. I have listened to you and changed my entire product offering around these needs. I still offer the lowest price cloud scan anywhere. I still maintain the highest quality standards for scans among all security scanners available. I still have the easiest to use scanner on the market. Those things will never change.

What is changing is how you can use the scanner. Gone are the days where you had to decide what to scan right away, or the requirement that you could only scan a site once a week. Instead, I have added the following abilities to the site:

• Flexible, on demand scanning – scan whenever you want. You determine when and how often to scan. Scan once, or on a recurring basis.
• Configurable scanning - I added options for each scan based on your feedback. It is still possible to scan with just a URL, and the scanner will configure itself properly for your site. Now, you can also select a few options, like how much to crawl and how or if the scanner should login as a user.
• White label reporting – I have added options to generate white label reports. If you are a security professional, you can use Golem to scan, then generate a PDF report with your own logo and company name to deliver to your client. Use this as a means to drive further sales with clients around correcting any defects reported.
• Better reporting and information – A completely re-designed user dashboard to make sure you see important information quickly, and can view the status of scans instantly.
• Reseller program – I am considering a reseller program based on discussions with a couple of companies. I am thinking about a scan API which could be integrated with other sites. If you are interested in this and helping me design it, please contact me or fill out the reseller form.

Those of you who signed up for Golem Security Monitor in the past, I am no longer offering that product. Instead, I have upgraded you to Security Professional, which includes more options and products. The price you paid for Security Monitor will not increase for as long as you choose to stay my customer, though you are welcome to enjoy the full benefits of the new and improved plan, and let me know your feedback.

To all my customers who worked with me on these changes, I thank you. Please continue to send me your feedback so I can continue to improve my product to better serve you, your businesses, and your IT departments.

Looking forward to a new year together, with heightened security,

Charlie

I am happy to announce that I have fully implemented dynamic security seals. If you are running scans, you can let your customers know by including a security seal, which will dynamically announce the security of your site to visitors. This has been shown to increase conversions on e-commerce sites.

Take a look at a sample seal:

Unlike other seals on the market, this one is most definitely NOT BS (See the CBS news report on some competitor seals). I care about your customers as much as you do, so if your site looks like it may have an issue, the security seal won't return a verified secure message. It won't return a not secure message, but it will just display a generic seal, which the customer can click on to read more about what exactly it means. (this page). This way, your customers are protected, and you can increase conversions. Win-win right?

Existing customers can update their site with the following code to add a badge:

After much debate with myself, I have decided to stop allowing free scans from this site. This significantly changes how I originally envisioned the site working at the beginning, but overall I believe it to be a very positive change for my users and customers, and the security community in general. Here is why I made this decision.

1. Many users would come to the site, often repeatedly, and run free scans against sites they clearly did not own, such as ebay. Maybe they hoped to find vulnerabilities? Either way, I didn't like the behavior, even though there are open source scanners they could use just as well, and the free version didn't give enough details to do anything with. Each time I added some protections against this, but it was only a matter of time before the users found a way around my filtering, and I have always refused to setup technical barriers like a site ownership check.
2. On a single occasion, a user tried to use the free scan as a DOS attack against another site. Although it was prevented in this instance, I was not confident that, at some point, someone wouldn't figure out a way around the protections in the site to render damage.
3. Several users believed that, if a free scan returned only low risk items, there was no need for a paid scan. This led to a false sense of security. Since free scans only scanned 10% or less of a site, this was clearly not in their best interest.
4. My selfish reason: I had been running an A/B test for some time around offering free scans. By not offering free scans, conversion rates more than double. (conversion rate increased about 119%).
5. My scans are really, really, inexpensive and scan for a huge amount of bad stuff. Going from free to a small fee is not an obstacle for people serious about site security, but prevents casual users or malicious users from abusing the system.

I am pleased to announce a major upgrade has been completed to the security scanner today. Starting today, all scans will have the following enhancements;

• New security check for prefix alteration which can lead to a number of XSS exploits, including on some plugins such as flash.
• Significant enhancements to SQL Injection detetcion
• Major enhancements to Cross Site Scripting detection (beyond the new XSS check detailed above)
• Improvements to directory discovery and traversal attacks
• Improved brute force logic
• And several improvements to scan speed and various minor tweaks.

Enjoy!

This morning our main database server went down, and the Golem service was unavailable for several hours. For that, I apologize.

Several paid scans errored out as a result, which I am in the process of restarting. It looks like at least one purchase transaction did not complete successfully. I will be contacting the users affected personally to let them know exactly what happened and how I am working to fix it. For those of you who were affected without my knowledge, please give us another chance.

I am digging into the exact causes of the problem. It seems that an influx of users from hacker news gave me a nice traffic spike, but also a large number of free scan requests which caused my server to run out of memory. My hosting company took several hours to respond to my requests for a forceful server restart to correct this faster, so here is what I am doing to prevent this from happening again.

1. I will be reducing the free scan queue from 5 concurrent scans down to two. This allows for the paid scans to have priority and prevents too many free scans from eating up memory, as each scan uses a different amount of server memory.
2. I will be switching hosting providers in the near future. I am researching companies with better uptime and customer service. This is the second time I have had a major outage and had a slow response from my hosting company.

Thank you customers!

"Your service is crap. It says I have several ‘Major’ issues. That can’t be right. We’re a bank!” said John, the security officer of a local bank. He had called me to discuss his report findings after I had recommended he scan the bank site, just in case of course.

I told him I would certainly refund his money if it turned out to be true, but it deserved a closer look. I was away from my computer at the time so I couldn’t really check anything immediately. I only asked him if I had permission to dig deeper and if he would say so in writing. He did.

It turned out, the scanner was right: it did find a major security flaw on their site: a SQL Injection. It was on some calendar application they paid a developer in India to write for $9 bucks an hour. They put it in a separate database schema with a separate username and password, and called it secure, though it was using the same master database their website ran off of. The same server some of their user information and encryption keys were stored on. Small businesses have so many security holes most of them are like swiss cheese – they just don’t realize it. No one thinks they are a target until they are. And they make easy pickings for the smart criminals.

The database was an older version, unpatched, with a known vulnerability allowing SQL Injection to gain root on the server. I didn’t go that far – I just dumped out some admin tables and sent him an email letting him know that in a couple of hours, I could probably have access to his bank accounts and encryption keys.

I was interested by then, so I kept tabs on their site, but it didn’t get fixed. Not for 2 months. They decided by then to just remove the whole thing and be done with it – they didn’t have a development team and had trouble finding someone qualified to write secure code. They had to pull in and brief the CEO. This was a one hundred million in assets bank. One Hundred Million.

After the changes were done, John wanted another scan. I asked him, out of curiosity, how much would you have paid consultants for the same work? “Easily $10,000, maybe more.”

Back then I was charging forty bucks a scan, but I have since lowered my prices (I love my customers, and want them to be secure).

Today it would be $13.