Wow, what a blog title that is! I can't begin to explain how insanely awesome it is to be telling everyone that Report URI was crowned the 'Best Emerging Technology' at the SC Awards Europe 2018.


Report URI

Regular readers will know all about Report URI, the real-time security reporting platform I setup just over 3 years ago. In the very first blog post announcing it, CSP and HPKP violation reporting with report-uri.io, I had absolutely no idea where the road would take me, and what a journey it's been. At the time I'd started to look into CSP and the world of browser security headers and I was really interested in the idea of CSP reporting. There were plenty of security monitoring solutions out there, and all of them were expensive, but none of them could offer the information that CSP could. This was a new security feature that offered insight you couldn't get anywhere else. I built most of Report URI for me, because I wanted to have CSP reporting and couldn't find any services providing it, but if you're going to go to all the effort of building a tool like that, the sensible thing is to make it available for everyone, so I did. Report URI was a free service and anyone could sign up to use it for their site. With my expectations being that a few friends and Twitter followers might use it, I was taken by surprise when it started seeing significant growth.


logo


Just over 2 years after starting the service the financial burden was growing to the point where I had to do something about it. I'm giving a talk next week in Norway at NDC Oslo where I'm going to explain the various technical iterations our infrastructure has gone through to take us from 10,000 reports per month to our current situation of almost 10,000 per second. That's insane growth and despite all the optimisations we've done along the way, it ultimately arrived at the point where the service had to be commercialised and support itself, or I had to close it because I couldn't afford the bills. That really left me with only one choice and it was to ensure the future of Report URI, we were going to become a paid service but retain a free tier.

Once you become a paid service the expectations of your users shifts and it now needed a lot more focus, this was no longer a side project. Troy Hunt joined us as an investor and partner to provide the funding we needed to take the next step and announced details on his blog. We had everything we needed, we got to work and we launched the first commercial version of Report URI on Nov 1st 2017 as well as announcing our first team member, Michal Špaček. This was it!


Our first award

Never did I expect to be sat here writing this within 7 months of our launch. I got notification that Report URI had been shortlisted for Best Emerging Technology at the SC Awards Europe 2018! Wow, 'that's amazing, but we've got no chance of winning' I thought to myself. We were up against some pretty serious competition and a couple of big hitters too, including Avecto that I used to work for. Still though, just being shortlisted was a massive victory for us and I was so happy with that. As I was already in London this week for 2 deliveries of my TLS training and InfoSec EU it was easy for us to attend the awards. There was Troy and I who you're probably familiar with and my wife joined us too. She wasn't there for support though, my wife plays just as big a role in Report URI as I do, she just isn't public facing like I am. All of our finances, expenses and invoicing along with legal requirements like pensions here in the UK, VAT MOSS and HR on top of countless other things are all happening because of her.



It was a great night with some good networking, food and drink which was all I was expecting to walk away with, until something happened...





Honestly we were sat there talking away as the awards were announced and they said our name, it was awesome! I got to go up on stage, have my photo taken and collect our award.


4_5b17e7f70166b_1528293367_2


Alongside the social activity on the night and the official photo, there's also a statement from the SC Awards on their website to announce us as the winner. It's really great to see that they've truly understood us and our product, it's not just some canned marketing blurb.

Modern web browsers can now send reports when they observe events that may impact security. The company’s service, Report URI, allows websites to quickly and easily setup reporting by sending their reports to URI for processing instead of having to build their own infrastructure to handle and process the reports themselves. Any individual or company with a website can benefit from the insight that these reports can provide into real-time threats on their site. Report URI caters for a variety of different security reports that browsers are capable of sending but the most soughtafter reports are those about XSS (Cross-Site Scripting) attacks. Using a Content Security Policy, a website can both defend against these attacks and have the browser report back when it finds evidence that an attack has been attempted or has taken place. This allows a website operator to gain insight into threats their visitors are facing in real-time and take immediate action to respond and resolve the problem. The ability for browsers to send these reports is relatively new and whilst some sites have experimented with reporting it’s only a tiny handful on the largest sites on the web that deploy this capability today because of how difficult it can be to do right. Its service allows any site operator, no matter how big or small, to deploy and enable reporting in a matter of minutes and start gaining immediate insight into threats that their visitors may be facing. This is a completely new source of information that sites can use to better protect themselves and their visitors. According to judges, the product really fills an important niche in web security by enabling web server operators to make use of (the usually ignored) CSP reports. “While it is a very specialised solution and one can argue that the overall market capitalisation might be rather small, it is an important step in opening up a new type of intelligence products.”


Next steps

This has been a great motivation for us to work even harder and both the short term and long term goals will see us releasing new features and improving the service even further. To have our work recognised like this is so great and for me personally, to see the project I started 3 years ago go from an empty screen to an award winning company is mind blowing. I'm so proud of what we've achieved and I couldn't have done it without the support of those around me. Thanks to my wife Nic, Troy and Kylie, Michal, our customers and all of my friends in the wider community who provided support, input and guidance. We're going to keep working hard and continue to help everyone deploy better security. I have a feeling this is the beginning of something big. 🥂