We have struggled for a long time with the decision of making eramba hosted in some way, although we have used automation for many years for development, testing, demo, etc we are now thinking on hosting eramba for our customers.
We are completing the archietcture and main components in the coming weeks and will be offering trials for free to our customers and their friends. if you have interest in participating in this trial please write your interest here along any question.
We have drafted this document that explains how the infrastructure works:
This looks exciting - I remember a year or three back there was a hosting option that was advertised on the website but that seems to be gone now - I presume this is a resurrection of this?
The other food for thought here is that depending on the audience you’re selling to (the larger the company, the more likely), they will want some form of verification that you’re actually following your Security and Privacy Standards - specifically, I would expect large prospects to ask for and/or require you to go through a SOC 2 audit (or ISO 27001) in order to do business with them for cloud hosting.
Well, its still in “frankenstein” state right now, but we are getting close , we use better technology than that older setup to scale this automatically without human intervention.
This is very true and we have this type of issues (they send us extensive questionaries, etc), we do plan to hit a soc2 or iso27001 certification this year for eramba as a whole, i think i know a guy that can do those soc2 reports
we are getting closer here - does anyone have a license for unlimited pentest scans that can be triggered against a host ? commercial product, we are not so much interested in the application testing, the point here is more towards the infrastructure (the linux running below the saas).
We use acunetix for the application alone and our license is pretty limited and we now found out we can not point our scans to a different host than the one we purchased the license to.
if anyone here is ok to help we would greatly appreaciate
I might be able to help, if you need a Vuln Scan, I have access to a Rapid7-Nexpose, that I use to scan some of our external vendor (with their approval, of course), from a basic scan to full scan with credentials. If that is what you need I check for the forms. Depending where the system is hosted, they might have some authorisation forms to complete as well.
This solution will be definitely interesting for my organization. As of now we will put Eramba in a container in GCP. Please consider integration with major IDaaS such as Okta. Who uses SaaS, IaaS and such typically uses IDaaS.
Community users will be the first to test the service (for free) during two months starting in August until October, if during that timeline nothing tragic happens we will roll out the service publicly. From that point in time the service must be paid (in the range of EUR 100 / Month) to be used (TC will be available later on).
Since during these two months anything could happen (downtime, data loss, etc) we can not guarantee anything (the good and the ugly). We basically take no liability. We will take no more than 10 users for trial in both regions (Europe and USA), so 20 maximum.
Enterprise users will be able to use the SaaS service from December, at least that is my guess right now.If community goes well, there is no reason why Enterprise wouldn’t. There wont be a trial version in this case.
All this is a plan as we know and Tyson has thought us: everyone has a plan until they get punched in the face
Great news! We are definitely interested on this one. Hopefully you will have a migration process if we want to go from on-prem enterprise to SaaS enterprise? What is the pipeline for the thirdparty report (SOC2) ?
Despite having built the technology and actually confirming trough multiple beta-testers (thank you!) that it works we have decided to put a stop to this program, reasons being:
we are not comfortable hosting your data, in particular because we are mostly developers working 8-5pm. if something happens i would feel terrible and of course we could get the project into a heap of trouble.
we dont work for revenue, so we dont really need to sell more things. so why doing something we dont need and that could get us in trouble?
building a community and enterprise software is not easy, diverting from that when we operate for no profit, is just making us loose focus a little bit
the focus for saas was to help users install eramba, we have seen on our metrics that installs have grown almost %80 since release 2.x , this means people can install eramba for themselves a lot better than in the past. so if they can do this by themselves, our help is therefore not so relevant.
Is a shame, i had some fun coding 5k lines of code using amazon aws sdk to automate provision, deprovisioning, backups, upgrades, etc.
we might offer this business to some partner at some point, were its going to be their responsibility to do this well, not ours.
So after a lot of reconsideration (many people really wants this saas thing) we have resuscitated this project, we will make it available to community and enterprise users once we complete the Cake migration and release community 2020 edition