Liran Tancman, Rezilion: “the biggest challenge to securing software today is identifying what is truly exploitable”
Every company these days either develops or purchases software to help them run more efficiently. Everything is powered by software, from infrastructure and commerce to financial systems and healthcare.
Having said that, the threat landscape is also constantly shifting with the software. Hence, companies need to understand the sources of software vulnerabilities and act on them. That involves acquiring quality security tools and various DevSecOps solutions.
We reached out to Liran Tancman, the CEO and co-founder of Rezilion, a software attack surface management platform, to discuss the pain points companies have in terms of securing their software and what are the possible solutions.
How did Rezilion come about? What has your journey been like?
Our goal from the outset was to enable easier and more seamless DevSecOps and vulnerability management. We have and continue to help organizations secure software during the DevOps process and through production. This requires a variety of automated tasks including the ability to ensure that code comes from trusted repositories, validate that all vulnerabilities have been removed, and generate a deep understanding of the code through workload compositional analysis.
At the beginning of the journey, we created our platform to give teams the tools to eliminate software vulnerabilities across cloud workloads, applications, and IoT devices, empowering developers and security teams to accelerate innovation without risk. In the last year, breaches like SolarWinds and Kaseya showed us how integral supply chain visibility is to the mission of secure software. Mindful of this, we’re also now helping teams see into their software environments and keep track of changes in real-time with our Dynamic Software Bill of Materials (SBOM) capability in the platform.
Ultimately, it comes down to this: you can’t patch what you can’t see, and the Rezilion platform gives teams the ability to understand where their vulnerabilities lie, as well as which vulnerabilities pose a risk to their unique environment. Not all vulnerabilities require patching because they do not load to memory. We help identify the bugs at all stages of the SLDC, prioritize which ones need patching, and the platform also helps with remediating those vulnerabilities.
Can you tell us more about the Rezilion platform? What are its key features?
Rezilion is an end-to-end DevSecOps platform that identifies, prioritizes, and reduces your vulnerability backlog by over 85%. The platform ensures quick results by helping customers remediate in days, not months. Rezilion uses a proprietary static and dynamic enhanced run time analysis to identify vulnerabilities that are loaded into memory, and thus exploitable, and those that are not loaded to memory, and therefore pose no risk. The enhanced granularity of the exploitable vulnerabilities further helps to prioritize what to remediate first. The Rezilion platform, as mentioned, also provides a comprehensive and continuous dynamic software bill of materials that affords a real-time view into the actual attack surface.
What are the best practices companies should follow when developing, and, when launching software?
The biggest challenge to securing software code today is identifying and remediating what is truly exploitable. Developers don’t have the time or tools to fix every vulnerability fast enough to meet security and compliance requirements. Yet, at the same time, the security team must ensure that products don’t contain dangerous vulnerabilities that could be exploited and put the organization at risk. Best practices should include building security into the software development lifecycle (SLDC) so that vulnerabilities can be addressed early in the process. Another is to focus on remediating vulnerabilities that are truly exploitable so that DevSecOps teams can move quickly and ship code faster without getting bogged down by bug remediation.
How do you think the recent global events affected the way people perceive cybersecurity?
Security was at one time seen as “The Department of No.” In the earliest stages of security’s presence in corporations, it was often the role of the CISO or CSO to lock down processes and protect it against new technologies in the interest of keeping the organization safe. This is no longer the case. Security in the last several years has become a business enabler and one that is often required to demonstrate ROI.
At Rezilion, we want security to be perceived as an innovator. With the right tools and mindset under their belts, the security team can not only help keep a business safe, but they can also help secure products early and assist with innovation and agility. While the high-profile breaches keep hitting the headlines each day, I think we will see cybersecurity perceived not only as a necessity for keeping companies out of the news but also as a leading division in helping to move the business forward.
Why do you think organizations often fail to see the full scope of their attack surface?
It’s a massive surface and no small feat to see thoroughly. With each new tool and technology added to an environment, the attack surface grows, so it is essential to be able to see it and understand it. As mentioned earlier, you can’t patch and fix what you can’t see. That’s why an up-to-date, real-time look into your software environment is essential to understanding where your vulnerabilities exist and how to address them before a cybercriminal finds your weakness first.
What are the most common vulnerabilities nowadays, that if overlooked, can lead to serious problems for a business?
The Log4Shell vulnerability, first uncovered at the end of 2021, continues to be a huge issue. Researchers here at Rezilion recently assessed the current potential attack surface of the Log4Shell vulnerability, several months later, and found many applications vulnerable to Log4Shell still exist in the wild.
The recently discovered Spring4Shell is also a vulnerability that is causing a lot of headaches for security teams lately and one that should be addressed immediately if you have not already. Other vulnerabilities that continue to plague security according to our quarterly vulnerability round-up report include Pwnkit and DirtyPipe.
Besides implementing DevSecOps practices, what other security measures do you think are essential for every company nowadays?
Of course, every company must have up-to-date tools and ensure they are constantly aware of their exposure. It all goes back to an understanding of your software supply chain. Companies have so many software dependencies now that ensuring your internal software is built securely is only one part of the security equation. It’s essential to not only bake security in with DevSecOps, but to have holistic visibility into everything you use and own.
Talking about casual Internet users, what cybersecurity best practices do you think everyone should incorporate into their daily lives?
With the entire world online, the average person needs to always be aware of their level of vulnerability too. That includes anything from how you are sharing personal information and where, to what kind of digital footprint you are maintaining, and how you are safeguarding your sensitive information.
What does the future hold for Rezilion?
In the coming months, we have exciting plans in store that will move us closer to our goal of accelerating and improving the work of software security.
This will begin by deepening the connections between our core Dynamic SBOM and Vulnerability Validation capabilities, which help customers not only identify and manage all software components across their environment in real-time, but to instantly search and pinpoint vulnerable components across billions of files, and know if they’re exploitable in those contexts.
Later this summer, we will be introducing several new features that will increase the scope and automation of our platform service. This will mean a more holistic set of tools to detect, prioritize, remediate, and contain software vulnerabilities. This will also mean more seamless integration with existing workflows and tooling, and more automation features to give time back to DevOps, and Security teams for more strategic and creative work. It’s going to be a few busy months – stay tuned!