Twitter
youtube
Discord
Contact us
Forums
New posts
Trending
Rules
Explore
Bioenergetic Wiki
Bioenergetic Life Search
Bioprovement Peat Search
Ray Peat Interviews by Danny Roddy
Master List: Ray Peat, PhD Interviews & Quotes by FPS
Traveling Resources
Google Flights
Wiki Voyage
DeepL Translator
Niche
Numbeo
Merch
Log in
Register
What's new
Search
Search
Search engine:
Threadloom Search
XenForo Search
Search titles only
By:
New posts
Trending
Menu
Log in
Register
Navigation
Install the app
Install
More options
Light/Dark Mode
Contact us
Close Menu
Information
World News
Launch HN: Metlo (YC S21) – Open-source software for securing your APIs
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Hacker News" data-source="post: 74239" data-attributes="member: 365"><p>Shri and Akshay here - we are building Metlo (<a href="https://github.com/metlo-labs/metlo" target="_blank">https://github.com/metlo-labs/metlo</a>), an open-source API security tool. Metlo works by discovering all your API endpoints, running security tests, and detecting potential attacks. It runs before your APIs go into production, and also in real time, alerting your security team when anomalous usage patterns are detected. Metlo secures your APIs against the OWASP Top 10 (broken auth, injection, excessive data exposure etc.) and more.</p><p>Although APIs are one of the largest attack surfaces in companies today, there aren’t many good security tools to protect them. The few tools currently on the market are “enterprise” only; they require you to talk to a salesperson to use, or even see, the product.</p><p>We saw a need for an open-source solution that could be self-hosted and where you didn’t have to talk to a sales rep to see the product. So we started building an open-source API security tool with an MIT license that you can self-host, fork, and generally do whatever you want with. Since not everyone wants to self-host, we also built a hosted offering that you can get started with for free.</p><p>Our website is at <a href="https://metlo.com" target="_blank">https://metlo.com</a>, repo is at <a href="https://github.com/metlo-labs/metlo" target="_blank">https://github.com/metlo-labs/metlo</a>. There’s a demo video here: <a href="https://www.loom.com/share/2c38c731cf044288995e5ee2566528a7" target="_blank">https://www.loom.com/share/2c38c731cf044288995e5ee2566528a7</a>. Check out our sandbox at <a href="https://demo.metlo.com" target="_blank">https://demo.metlo.com</a> (no email required). You can get started with our hosted service (in Beta) for free at <a href="https://app.metlo.com/signup" target="_blank">https://app.metlo.com/signup</a> (there’s an always free tier, and paid tier is not enforced yet) , or you can self-host by following the instructions at <a href="https://docs.metlo.com/docs/deploy-to-aws" target="_blank">https://docs.metlo.com/docs/deploy-to-aws</a>.</p><p>Our functionality can be divided into three areas – discovery (OSS), testing (OSS), and protection (closed source):</p><p>(1) Discovery: Metlo scans your API traffic and discovers all your public endpoints. This is especially useful for finding legacy, undocumented, and shadow endpoints your security team may not be aware of—a particularly nasty way to end up with vulnerabilities. We scan each endpoint for sensitive data (address, phone numbers, ssn, account info, etc) and assign it a risk score so you can instantly understand your highest-risk endpoints.</p><p>(2) Testing: Metlo runs a suite of automated tests against your API traffic and endpoints so you can find vulnerabilities before an attacker does. We find issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII in URL params, and many more. You can also write your own tests.</p><p>(3) Protection: Metlo analyzes ongoing traffic patterns and surfaces anomalous behavior so you can catch and shut down potential attacks in real-time. (This is not part of our open-source offering though.) Our ML Algorithms build a model for baseline API behavior and any deviation from this baseline is surfaced as soon as possible. Our UI gives you full context around any attack to help quickly fix the vulnerability.</p><p>We’ve tried to make it easy to set up and use Metlo (though deployment can still be easier and we’re working on making it so). You can self-host on AWS, GCP, etc. (should take <a href="https://app.metlo.com" target="_blank">https://app.metlo.com</a>.</p><p>We make money by charging for our hosted service, protection features, multiple users, SAML/SSO, RBAC, audit logs, and support. As for pricing, here we’re a bit embarrassed because so far we have the dreaded “contact us” for our enterprise plan with some early pricing for others. That’s bad because, as mentioned, our goal is that you should never have to talk to a sales rep. However, we should have a “compare plans and pricing” page figured out in the next few months.</p><p>We look forward to hearing your feedback and ideas, and your experiences with API security, and are happy to answer any questions!</p><p></p><hr /><p></p><p>Comments URL: <a href="https://news.ycombinator.com/item?id=33534856" target="_blank">https://news.ycombinator.com/item?id=33534856</a></p><p></p><p>Points: 18</p><p></p><p># Comments: 0</p><p></p><p><a href="https://news.ycombinator.com/item?id=33534856" target="_blank">Continue reading...</a></p></blockquote><p></p>
[QUOTE="Hacker News, post: 74239, member: 365"] Shri and Akshay here - we are building Metlo ([URL]https://github.com/metlo-labs/metlo[/URL]), an open-source API security tool. Metlo works by discovering all your API endpoints, running security tests, and detecting potential attacks. It runs before your APIs go into production, and also in real time, alerting your security team when anomalous usage patterns are detected. Metlo secures your APIs against the OWASP Top 10 (broken auth, injection, excessive data exposure etc.) and more. Although APIs are one of the largest attack surfaces in companies today, there aren’t many good security tools to protect them. The few tools currently on the market are “enterprise” only; they require you to talk to a salesperson to use, or even see, the product. We saw a need for an open-source solution that could be self-hosted and where you didn’t have to talk to a sales rep to see the product. So we started building an open-source API security tool with an MIT license that you can self-host, fork, and generally do whatever you want with. Since not everyone wants to self-host, we also built a hosted offering that you can get started with for free. Our website is at [URL]https://metlo.com[/URL], repo is at [URL]https://github.com/metlo-labs/metlo[/URL]. There’s a demo video here: [URL]https://www.loom.com/share/2c38c731cf044288995e5ee2566528a7[/URL]. Check out our sandbox at [URL]https://demo.metlo.com[/URL] (no email required). You can get started with our hosted service (in Beta) for free at [URL]https://app.metlo.com/signup[/URL] (there’s an always free tier, and paid tier is not enforced yet) , or you can self-host by following the instructions at [URL]https://docs.metlo.com/docs/deploy-to-aws[/URL]. Our functionality can be divided into three areas – discovery (OSS), testing (OSS), and protection (closed source): (1) Discovery: Metlo scans your API traffic and discovers all your public endpoints. This is especially useful for finding legacy, undocumented, and shadow endpoints your security team may not be aware of—a particularly nasty way to end up with vulnerabilities. We scan each endpoint for sensitive data (address, phone numbers, ssn, account info, etc) and assign it a risk score so you can instantly understand your highest-risk endpoints. (2) Testing: Metlo runs a suite of automated tests against your API traffic and endpoints so you can find vulnerabilities before an attacker does. We find issues like unauthenticated endpoints returning sensitive data, no HSTS headers, PII in URL params, and many more. You can also write your own tests. (3) Protection: Metlo analyzes ongoing traffic patterns and surfaces anomalous behavior so you can catch and shut down potential attacks in real-time. (This is not part of our open-source offering though.) Our ML Algorithms build a model for baseline API behavior and any deviation from this baseline is surfaced as soon as possible. Our UI gives you full context around any attack to help quickly fix the vulnerability. We’ve tried to make it easy to set up and use Metlo (though deployment can still be easier and we’re working on making it so). You can self-host on AWS, GCP, etc. (should take [URL]https://app.metlo.com[/URL]. We make money by charging for our hosted service, protection features, multiple users, SAML/SSO, RBAC, audit logs, and support. As for pricing, here we’re a bit embarrassed because so far we have the dreaded “contact us” for our enterprise plan with some early pricing for others. That’s bad because, as mentioned, our goal is that you should never have to talk to a sales rep. However, we should have a “compare plans and pricing” page figured out in the next few months. We look forward to hearing your feedback and ideas, and your experiences with API security, and are happy to answer any questions! [HR][/HR] Comments URL: [URL]https://news.ycombinator.com/item?id=33534856[/URL] Points: 18 # Comments: 0 [url="https://news.ycombinator.com/item?id=33534856"]Continue reading...[/url] [/QUOTE]
Loading…
Insert quotes…
Verification
Post reply
Information
World News
Launch HN: Metlo (YC S21) – Open-source software for securing your APIs
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top
