- Over the past year, I built 6 small, security-related web applications (so far 😀). Many of them were built just in the past month or two. These apps are focused on security because I feel familiar with the problem space.
- For context, I’ve been using Python on and off since 2019, but only started getting seriously interested in/entertained by building web apps since mid-2022.
- Here is what I learned from creating each one (and then a summary at the end):
Status
Stack
- FastAPI
- Docker
- SQLite3 + LiteFS (previously using Litestream)
- Python
Description
- Cyberfeed is a cybersecurity news aggregation site. It pulls news articles from well-known cybersecurity RSS feeds. The news article descriptions are summarized and rephrased by ChatGPT and posted to Twitter and Mastodon.
What I learned
- At the time, I was reading a lot on HackerNews (HN) about how great SQLite is in its simplicity and viability in production apps. Using SQLite was an easy choice as I had already used it in some Python tutorials. I also heard a lot of great things about Fly.io through HN, so I ended up learning how to build my apps in Docker and deploy them on Fly.io. I originally used Litestream with Amazon S3 for a while, but one day I found all of my database backups on S3 inexplicably wiped. Due to this, I stopped maintaining the site for several months in mid-2023, but just started it back up again using LiteFS which has been fantastic – we’ll see how it goes.
- People love reading cybersecurity news, so it’s not surprising that this site gets the most traffic out of all of them. It is also been around the longest, so that may have a little bit to do with it. I realized that, if you have your own news site, you can run your own proprietary ads on the page to get free advertisement for your other apps which is useful as well. It’s still running and is doing okay by my standards.
Status
Stack
Description
- ipinfo was a quick, self-IP lookup tool that could be
curl‘ed from the console. It was inspired by well-known sites such as ipchicken and icanhazip. I also returned some geolocation information using the MaxMind IP geolocation database. This site is no longer hosted and just has a GitHub repo available. - Example response:
{"client":{"ip":"1.2.3.4","port":48212,"location":{"country":"United States","city":"Los Angeles","latitude":69.6907,"longitude":-420.8173}}}
What I learned
- I learned a few tricks like setting up a web app so that you can just
curl it from your terminal and learned more about working with request headers. - There is not much else to say about this one – it was a small project and barely got any traffic.
Status
Stack
Description
- Technically, it’s not a web app but a Python CLI tool for calling security APIs from your terminal. Essentially, is a wrapper over the Python requests library to send requests to certain APIs. A basic command is
seclook [service] [value]. For example, you can run seclook virustotal 1.1.1.1 which either pprints the response in your terminal, or you can pipe it to a JSON processor like fx, or even send it to ChatGPT to get a summary of the response. I’m still maintaining it and it has received a whopping 6 stars on GitHub.
What I learned
- Submitting packages to PyPI is not as daunting as I thought it would be.
- It is a great feeling when you find yourself using tools that you created every day. Getting other people to use them is a different story, but that’s okay.
- I had an interesting idea to take this app a little further and see if I can monitor IPs, hashes, etc. that are found in the clipboard, do silent lookups to security APIs in the background, and create some kind of notification service (toolbar icon, push notifications, or something) when there is a match.
Status
Stack
- FastAPI, Docker, MySQL + Planetscale, Python
Description
- Glyph was a cybersecurity data loss prevention API. This was arguably my most ambitious project and the only one that had payment options. I am still pretty satisfied with it even though I only had gotten 2 users sign-ups in about a month and even those people never even tried to use the app. Despite these failures, it feels like it’s going to be a stepping stone to another, greater project or idea. It has been shut down and is no longer available.
What I learned
- If your app is slightly complicated to use (i.e., Glyph required Base64-encoding the content you are sending as part of the payload), then people probably won’t use it.
- Many people will not trust your app if it involves sending data that is potentially confidential. They will at least expect you to have a SOC 2 report or something similar. I already had a gut feeling that this would be the downfall of this project, but I wanted to try anyway because it felt like a great idea at the time.
Status
Stack
- FastAPI, Docker, SQLite3 + LiteFS, Python
Description
- Whisper Pages are secret links to markdown notes, code blocks, and other secrets. I built Whisper.Page to learn more about Web Assembly and to experiment with in-browser decryption. I really do like this one and I think it has an easy-to-use interface, but it has not caught on at all with anyone yet.
What I learned
- This seemed like another instance where the data could be potentially confidential, and people likely did not want to trust me with it (although I did open source the entire codebase).
- Also, there are hundreds of different clones of this type of app floating around out there, some of which are “better” on paper than mine (i.e., not just in-browser decryption but in-browser encryption as well).
Status
Stack
- FastAPI, Docker, MySQL + Planetscale, Python
Description
- MailUnveil is an e-mail reputation API. You can enter in an email address and receive some technical information back as well as a reputation score for that address. I feel like this app is a decent attempt at doing e-mail reputation, although I would not use it on its own. I think it would be a decent supplement to some existing tools that actually scan EML, attachments, etc.
What I learned
- There is not a lot you can infer from just having an e-mail address.
- In order to create a security product around e-mail, you really need to tie into e-mail content and attachments as well.
Other thoughts
- Although many of these apps are not really used by people, I have significantly grown as an engineer/developer by creating them. It’s already helped me in my career and increased my understanding of many different areas. And it’s not just the understanding of technical areas – I’ve also gotten better at breaking down how I want to approach building an app or attacking a problem which is an incredibly useful skill.
- I think one of the most addicting parts about creating an app is those very early stages where you’re gauging peoples’ interest in your app. You’re constantly checking the web and db server logs to see if people are checking it out… and then you realize that no one is. 😀
- Practice through repetition works wonders.
- If you want to make more money, it is probably better in most cases to focus on maximizing your salary from your day job. However, going through the process of building apps like this, learning new skills, and gaining new perspectives can absolutely help you increase your salary in your day job as well. Just don’t burn yourself out.
- I encourage anyone else to build as much as possible. It’s a great way to learn and it’s fun.