Related
I am currently looking for a proprietary Breach and Attack Simulation (BAS) solutions or open-source threat simulators to automatically test a wide range of attacks and malicious activities, perform security audits and find security gaps in a company to strengthen its defense.
I planned to make a market research about the existing attack and breach simulation solutions by comparing their features to know which one will best fit the requirements of the company.
I managed to make a comparison of open source threat simulators because there are scientific articles (such as Zilberman P., Puzis R., Bruskin S., Shwarz S. and Elovici Y., SoK: A Survey of Open-Source Threat Emulators, Polina Zilberman, 3 March 2020). The articles make useful comparison between the open-source threat simulators and explain the procedure and steps to make the right choice among the existing open-source threat simulator according to the company's environment, objectives, operations, etc.
However, when it comes to proprietary BAS solutions, it is more difficult to make a meaningful comparison as they are highly expensive, close source and do not provide detailed documentation. I have found a few websites that rank the best BAS platforms such as the following sites:
https://roi4cio.com/catalog/en/products?categories=895
https://www.comparitech.com/net-admin/best-bas-tools/
https://www.esecurityplanet.com/products/breach-and-attack-simulation-bas-vendors/
https://www.peerspot.com/categories/breach-and-attack-simulation-bas
https://sourceforge.net/software/breach-and-attack-simulation-bas/
Based on these sites, I chose the following BAS vendors: SafeBreach, Picus Security, Cymulate, XM Cyber, AttackIQ, CyCognito. For each of them, a demo has been requested by putting in the user information like email address. Normally, I will get the demos for the next few days. Based on the demos, I hope it will be possible to compare the features of the different proprietary BAS products.
Does anyone know of any useful papers, articles, websites, posts or books that provide a detailed comparison or explanation of existing proprietary BAS solutions? Can anyone help me or advise me on how to obtain and search information about existing proprietary BAS solutions? In this way, it will be possible to choose the BAS solution that best suits the needs of the company.
Thank you very much,
Nicolas Gennart.
You can check the SANS whitepaper in the link. Advantages of Going Purple
Below is a link to an article from SafeBreach that may help. We have a wealth of resources on our website and I am more than glad to have a discussion with you about BAS solutions. Also, Gartner has invaluable resources that I can offer you. My email is ann.chesbrough#safebreach.com.Four Pillars of BAS
I'm curious to know some more details about the various SQL standard's, i.e. SQL-92, SQL:99, SQL:2003, SQL:2008 etc. There is a short and useful overview on Wikipedia, with links to very expensive documents. Why are those documents not open to public? Can I find some open and free information?
Please, don't post links you found from Google. I'm interested in somewhat authoritative documentation only.
Quoting from one of my web sites:
We all love open source software. Wouldn’t it be great if
international standard documents such as the SQL standard would be
open too?
As a matter of fact: they are!
However, they are not free—just public. Very much like open source
software is not necessarily free. Too often, we neglect these
differences. Just because we have to pay for the standard doesn't mean
it is secret.
A download of the most relevant part of the SQL standard—part 2—is
available for USD 60 at ANSI. A CD with all parts on it can be bought
from ISO for CHF 352. Not free, but affordable.
You mentioned in some comments that you are mostly interested in part 2, so spending USD 60 might be your best option.
If you just need to know about the syntax up to 2003, there are two great free resources:
BNF grammar of SQL-92, SQL:1999 and SQL:2003: http://www.savage.net.au/SQL/
Online validator for SQL:1999: https://developer.mimer.com/services/sql-validator-99/
Finally, the complete text of “SQL-99 Complete, Really” is available at the MariaDB knowledge base. However, this book was written in 1999 when no database actually supported the described features. Keep that in mind when using this resource.
Other answers also mentioned "free" copies of the standards available on the web. Yes there are—those are mostly draft versions. I can't tell which of them are legal, so I rather not link them.
Finally a little self ad: I've just launched http://modern-sql.com/ to explain the standard in an easily accessible way to developers. Note that the actual standards text is written like laws are written :) Depending on your background, that might anyway not what you want.
The Postgresql Developer FAQ maintains links to each of them:
http://wiki.postgresql.org/wiki/Developer_FAQ#Where_can_I_get_a_copy_of_the_SQL_standards.3F
There are some hyperlinked versions of 92, 99 and 2003 here
However, I've never been able to use them effectively (read: I gave up).
This 92 text is useful (and is quoted here on SO several times)
ISO/IEC 9075-1:2011 -- google that.
Actually, digging around I found
http://www.incits.org/standards-information/
and it has freely availble section that clicks to something that redirects to here:
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
And finally the standards.
You have to accept a license agreement to download a pdf.
However, from what I have read in my pursuit - the RDMS well the 'RD' part is going the way of the dinosaur.. If you are building something new (therefore want the new standards) you may want to reconsider all options.
You don't have to pay for all of the standards. SQL-92 is freely available, for instance.
I'm looking for a free or commercial issue tracker. I've looked at a dozen of them, but I can't find what I need.
These are my requirements:
Not only for software. I need a more general tracker in which "complaints" about products other than software can also be recorded.
Very easy to use, for non-technical users
(optional) rich text editing, possibility to add images between the lines, etc.
I've looked at Bugzilla, SupportSuite, Mantis, but these are to much software oriented for my case.
Strange, no-one mentioned Trello [ www.trello.com ]
Its :
General purpose
Software related tracking can also be done
Collaboration on anything with multiple people
Free to use [ Even for multiple users ]
Aimed at a non-technical user
Perfect for your use-case.
Or take a loot at Gemini -- we have IT hardware, Help Desk and all our software dev projects in one place. Gemini does allow for different "meta data" per project type so this works for us. Look at their "white paper" - may be of help to you in terms of set up.
Usually the commercial ones are more polished than the open-source ones, here are some options:
Atlassian JIRA - an industry veteran, very complete solution. If you have a small team (up to 5 people), they also used to have a very low-cost version.
JetBrains YouTrack - relative newcomer, an probably a bit too "keyboard-centric" for your needs.
See also comparison of issue-tracking systems.
Maybe you're looking for a service like http://getsatisfaction.com/ or http://uservoice.com/. They are very customer-centric, and I've seen them used both for software products and for feedback on other things entirely.
Also, I've made Mantis receive email directly both to new and existing issues - f.ex. if subject contains an issue number like [1234] the email becomes a note to the issue 1234.
This way the customer doesn't know about Mantis, you can bcc Mantis with issue numbers, and it's possible to customize workflow in Mantis very much to suit your process needs.
In addition, you can have separate projects in Mantis which can receive from different email addresses, like one for bugs and one for support issues.
Try out Assembla, am not sure whether it is free or what.
Or you may try with googling JIRA
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I have begun work on a personal project that may end up having some real-world applicability. I am beginning to entertain the idea of selling licenses. I am sure some others here have done this before, and I was wondering what successfully processes you've used to do so.
There are many questions on SO regarding licensing, legal implications, etc. However, I have looked around and could not find a duplicate question for this one. To be clear, I am not looking for information on what licensing strategy to use, how to advertise your software, and so forth, but rather, for a checklist of things that should be done to increase the probability of success, and any possible gotchas I have not thought of. If anyone has any personal success stories, they would be very welcome.
For a little background, I am set on the idea of licensing a closed-source, compiled .NET DLL.
A few things off the top of my head:
Strong documentation, because formal technical support is unlikely
Specifying licensing terms and formalizing them with an attorney
Code obfuscation
Exploring license enforcement (either using a commercial package or custom code)
Building a website around the product, including real-world code examples since this is a library
Possibly offering some type of beta period, for feedback and getting the name out a bit
Offering instant/automated purchases
Marketing (oh boy)
Is it necessary (or wise) to start a one-man company to do this?
I will keep this list updated as answers come in. Thanks all!
Some tips:
Obfuscation: Be wary of obfuscating everything. An alternative is to obfuscate just the critical bits (licensing, premium features). The problem with obfuscating everything is that stack traces from error reports are ineffective. When an unexpected exception is caught, you'll want to give the user the option of automatically reporting its details - this really helps with QC.
License enforcement: If it's a utility that can be easily pirated, people WILL pirate it. An activations-based licensing system is ideal - and if it's not too draconian people will be less motivated to circumvent it. For instance, allow at least 3 activations per user (home computer, work computer, laptop). If it's a control library, then an activation-based may not be required - baking the serial number into the library may be enough because customers are unlikely to build their own product on a stolen assembly.
Instant/automated purchases: writing a custom licensing server and web page for this is fairly easy - you need only about 3 tables. LINQ to SQL is ideal for this sort of thing. For the payment gateway, I use PayPal - it's very easy to set up, has the features you need for selling activation codes, and allows multiple currencies. If you use PayPal, enable both PDT and IPN so you can give customers their activation codes both on the screen and via e-mail.
Marketing: try LOTS of things simultaneously - because it's hard to predict the success of any campaign. Especially without experience! Making yourself known amongst the influential people in the field into which you're selling can work very well.
Advertising: advertise on StackOverflow - that's what I'm doing! Google ad words is also worth trying because it's so cheap to set up - you'll know after spending $10 whether it will be effective for you or not.
And good luck with it!
You have most of the practical things listed out, in terms of actually getting a product from you to the customer -
However, there are a couple of things I'd also recommend.
Figure out how you want to handle all of your accounting/purchasing/billing/etc.
Rethink formal technical support (for money), but not at the exclusion of documentation
Talk to a lawyer regarding all of your licensing decisions, agreements, etc., as well as company structure
Talk to your accountant (and/or find one who is good at working with small tech companies)
Some of this will cost some money up front, but save headaches later.
The last two bullets are crutial - there are MANY options for how to setup yourself from a tax perspective, each of which has potential advantages and disadvantages depending on your specific situation.
For example, if you're in the US, there are many advantages to incorporation prior to doing anything on your checklist. If you decide to incorporate, you may want to do it in your state, but there are also advantages to incorporating in Nevada or New Jersey (very pro-corporate states legally). If you're successful, doing this early can save a huge amount of work over time and have significant benefits.
Also, if you incorportate, you might want to consider S vs C corps (S Corps are great if you're a one or two man operation). If you don't incorporate, you can run as a sole proprietorship or an LLC, both of which have advnatages and disadvantages. A lot of this depends on your product (what it does), your expected returns, etc. - having a good lawyer and a good accountant is a huge blessing.
If you're aiming at software development teams as customers then the sort of thing they are likely to expect to see (in addition to the ones you listed) are:
A download service for any additional items and/or patches that the user might need.
Tight version control/configuration management processes so that it's easy to find out what version of the product they have, what they need and what the differences are between versions.
Email/online bug reporting.
A demo/trial version of the product.
A good set of tutorials.
Community support e.g. developer forums. This is a good 'value added' service that can also help with the fact that you have concerns (as a one man company) over being able to provide 'formal technical support'. Hand out a few badges and reputation scores and get a free technical support team ;) ... but if sales take off, seriously consider providing 'formal technical support', it can make a huge difference to the perception of the product.
... and make sure that the website, download service, license server, forums etc are all properly secured and done to a professional standard. If any of the peripheral services are less than 100% then it all reflects badly on the product, especially when yours is a technical one.
You might not want to provide formal technical support, but you could look for creative alternatives like some sort of moderated forum for issue resolution. Also, provide at least an email address for someone to contact you.
Another thing is to hire some sort of designer to make your product, documentation, website, etc look good. It is generally easy to tell programmers who attempt design.
It seems to me that if you are writing in an interpreted language that it must be difficult to sell software, because anyone who buys it can edit it/change it/resell it without much difficulty.
How do you get around this? I have a couple of PHP apps that I'm reluctant to sell to people as it seems that it's too simple for them to change/read/edit/sell what I've produced.
Hardly anyone sells code. We sell the ability to create, edit, support and understand the code.
As a potential buyer of your application, I might find these features attractive:
The ability to change the code to suit my needs
The ability to read the code to better understand what it's doing
... and yes ...
The ability to sell my modifications
All three of those are features.
The third one might be a feature you can't afford to give me. Fix that through legal measures, not technical measures. That's what licensing is for. You could also sell more expensive licenses which do allow resale.
There are things you could do to remove the first two features, but bear in mind that in doing so you are reducing the overall value of your product to some people, and therefore its sale price.
For many people the primary reason for using Open Source software is not that it costs nothing -- it's that you get the source code.
People sell the service of creating web sites all the time. Also, even a compiled language can be altered, it`s just more difficult.
Most of the time the user base does not understand how to make the changes or what to do with the scripts so you are really selling your knowledge of how to install and change the scripts.
Don't sell the software, sell "licences".
I'll try to explain better, build the web app but provide hosting for it. this way your client will never get to "hold" the source code.
If you really must deliver the source code, Obfuscating is the way to go ;)
Possible routes to go:
Translate to a bytecode, binary or an obfuscated format
For instance, Splunk is written mostly in Python, and distribute bytecode. The EVE online client uses Stackless Python to compile to an executable binary.
Host the solution yourself
Put up a website, charge for use.
License the software
They get the source, but cannot legally modify or redistribute the source.
Open source the solution
Anyone can change the code, but you are the de-facto authority on it, and you can earn money by selling support, consultancy and customization services.
You could also consider a combination of approaches. E.g., partition your solution into several stand alone packages, and then open source some of them, and sell bytecode versions of other parts. What you then sell is the complete solution, as well as other services, and some people may benefit and enhance other parts of the solution.
Plenty of companies make money off of applications in interpreted languages and happily distribute the source code with them. Don't take this personally, but your program probably isn't going to be popular enough to have a large following of pirates. And anybody who would pirate your software probably isn't going to buy it in the first place. If they can't pirate it, they'll pirate somebody elses.
Whatever you do, please don't obfuscate your code. It's not an effective means of preventing infringement and it won't do anything other than make life miserable for you and your customers.
Protecting your secret bits is getting more and more difficult.
IMHO, your solution really depends on your target market. If you are targeting business, just give them the code with a good license, and possibly some type of defect so you can determine who gave your code away if that ever happens. Businesses will mostly pay for your app just to stay compliant; it's not worth the legal hassles. And if an individual gets your app for free, that's probably a good thing, since they will try to convince their current and future employers to buy it.
If you are targeting individuals, and can do it as a web app (which you obviously are with PHP), do it as a hosted service, and either sell a monthly subscription or allow free access and find another way to monetize it.
If you definitely need to or want to distribute it to individuals for whatever reason, you can give it away for free, and try to monetize customizations, add-ins, & other support features.
This is a problem that's been discussed a lot, and a few hours’ worth of really focused googling should reveal all the current philosophies on this.
I hope this helps.
Obfuscation may be a good way to go
With PHP you have the option of using the Zend Guard for PHP. I believe it compiles the source code in a way similar to what the php interpreter does,
so it should also increase performance. Of course the price of $ 600 may be too much for your liking ;-)
Anyway, I see no reason why you shouldn't distribute your code with an open source license (see the Open Source Initiative for a list of licenses available). You can find one that prohibits your customer from redistributing your app.
EDIT:
As Novelocrat points out in his comment, a license that prohibits distribution is per definitionem not an Open Source license, the term Open Source refers to a lot more than just the availability of the source code. (See also the answers to this related question for further discussion).