In recent years, application developers have adopted security testing as a standard best practice.
Even though the importance of testing, or identifying potential security flaws, has long been known, most businesses struggle with figuring out the how and when to test their software in progress. While most modern antivirus services would be able to protect end-users in case some overlooked vulnerabilities get exploited, developers need to make sure their projects are as secure as possible in the first place.
This is why the Cybernews team invited Jamie Graves, the CEO of Uleska, an application security management platform, to discuss the most prominent security risks, the automation of app security, and more.
Both your team and client base have grown exponentially since your start in 2016. What was the vision behind Uleska?
Gary Robinson, who is our Chief Security Officer and founder, worked in a large financial services organization managing their application security program. There was this hassle of manually running and collecting application security tools and managing the output in vast, unwieldy spreadsheets. While development teams have spent the past 20 years automating their processes, security teams have not, and his unique vision was that application security was going to go mainstream and be used more widely, so there needs to be a product that can help security and development teams scale and collaborate on this vital task.
Can you tell us more about your DevSecOps platform? What are its key features?
Uleska will automatically scan your applications with your favorite set of Application Security tools when it's built and released or asynchronously done via the UI. Once the scans have been completed, we'll collect and classify the vulnerabilities which will allow the security and the development team to understand which ones should be fixed first.
What are the best practices companies should follow when developing, and, when launching software?
Try implementing a secure development lifecycle that suits your team – this will ensure that security is considered from the very beginning of the process of developing the software. There are many frameworks out there but it's important to adopt one that works for your team. Ensure that there's a network of security champions. Understand your business objectives, and risk appetite, and solve issues accordingly. Finally, find a space where security and engineering can collaborate.
How do you think the recent global events affected your field of work?
The recent global events affected the field a lot, especially in relation to the increased awareness of the need for secure systems. The recent events in Eastern Europe have intensified everyone's concerns about where the next set of cyberattacks will come from. With the majority of attacks employing some sort of application vulnerability, it's now necessary to ensure that apps are released as securely as possible. The pandemic has also led us to the rise of remote work. Hence, ensuring that our teams can communicate and collaborate effectively has transformed our landscape.
In your opinion, why sometimes organizations are unaware of the security risks they are exposed to?
Visibility. Finding and reporting on the right data in an ocean of data can be a daunting task. It may also be the case that the right data is not being collected. It could be that the teams tasked with finding out about these risks are overwhelmed with other tasks that pull the focus off this set of activities.
Many companies have chosen cloud solutions as a way to enhance their operations. Are there any details that might be overlooked when making the switch?
From a security perspective, one thing that can impact your platform is an improper configuration that may lead to people being able to access sensitive data. For example, poorly configured S3 buckets. There are also considerations for cloud services that provide more value than just infrastructure. For instance, code hosting services such as GitHub. Ensuring no secrets are committed is essential. However, services like GitHub are starting to implement automated checks to help spot issues like this.
What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
It's not a set of technical vulnerabilities. It’s more about not having a risk-based mindset and mapping out where the risks to your business can lead to challenges down the road. Your team has to be able to implement the appropriate measure to help your organization survive any future security challenges.
Additionally, what practices and tools do you think every company and individual should adopt to combat these threats?
For smaller companies in the United Kingdom, there's an initiative called “Cyber Essentials” and “Cyber Essential Plus” which will provide a company with a great starter framework and set of activities to get up and running. I would highly recommend any smaller companies to check this out. If you're a company releasing any kind of software, I would highly recommend testing it before release so you can be proactive in fixing issues instead of relying on a pen-test alone.
What does the future hold for Uleska?
We're rapidly scaling our market scope. We have several new features coming out over the next year that will make it even easier for overworked security teams to start their AppSec journey, as well as vulnerability management, and collaboration features.