The tool is designed to make easier for ethical hackers to share their latest findings on vulnerabilities and then integrate them into automated security tests on Detectify’s platform. It provides the tools to create more test modules independently.
RELATED TOPICS: The modern risks of open-source code
When ethical hackers find vulnerabilities, they can then write a module as a JSON file and test it out in Ugly Duckling to validate that it works. Detectify can then implement the JSON file on their platform and scale the findings out to thousands of application owners and teams within five to ten minutes after an issue was submitted.
“It’s a win-win: security and engineering teams can stay up to speed with the latest exploitable vulnerabilities found in the wild, while the ethical hackers can get paid faster,” Detectify wrote in an announcement.
Ugly Duckling uses a custom JSON-based template format to describe the vulnerabilities and it can detect stateless vulnerabilities, ones that can be identified with a single HTTP request.
“Vulnerability research is often a time game. With Ugly Duckling, we can get quality-checked research from our hackers sooner, allowing for more vulnerabilities to be released as tests before the vendor has patched them. This means better protection for customers and higher payments for the hackers,” said Tom Hudson, the security research tech lead at Detectify.
“To build safer web apps, security needs to be a collaborative effort, and knowledge about it needs to be accessible. The stand-out feature with Ugly Duckling is that the code is simple and MIT licensed, so you can use it as a jumping-off point to build your own custom scanner,” he added.