We know starting your application security (AppSec) journey can be a little overwhelming. After all, choosing your tools from scratch and setting yourself up for scalable security assurance has been a challenge. Until now.
In a recent webinar, Gary Robinson and Martin Hewitt from Uleska walked us through Uleska’s Toolkits feature that lets users easily configure AppSec tools for continued, reusable use across all of your applications. They explored what the feature is, how it can be used to simplify processes and some practical examples of how it can be used.
You can watch the webinar on-demand and explore a summary of the session below.
The challenges of scaling application security
There are thousands of AppSec tools available on the market. While innovation in the market has its benefits, it also presents some challenges when it comes to configuration, deployment and introduction of new tools down the line.
When building out your security programme, you will have various groups of tools and their corresponding configurations. These groups of tools can then be applied across your applications or organisations.
The manual copy of configuration
Continuous delivery, changes in technology and security requirements make attempting to manually copy a configuration across multiple applications near impossible. With this in mind, it has become increasingly important to have a clear overview of application risk before deploying software.
Testing throughout the lifecycle
Especially when you’re scaling, you’ll be testing at different times in the pipeline. This means that one project needs various test tools to be run across its lifecycle which can be a real challenge when executing this manually. Stay tuned for how Toolkits makes this a whole lot easier.
Tool coverage improvements
In addition, security teams want to iterate and improve tool coverage once these tools are onboarded. This will happen over time, which means you need to be prepared for updates to your tools and configuration. Therefore, one way or another, new tools need to be rolled out across the organisation in response to changes in their threat environment or company policy.
At Uleska, our mission is to streamline these kinds of processes. In addition to making it easy to bring tools together and collate results, the Toolkits product feature unlocks a fast, reusable way to manage these tools and their configurations.
What are Uleska Toolkits?
Toolkits are collections of AppSec tools and their associated configuration (including API keys, tuning settings and runtime parameters) that can be used and, most importantly, re-used by applications across your entire estate.
Toolkits hugely simplify the configuration of tools and make it easy to execute these tools against an application version. Uleska Toolkits enable you to run your tools to not only find issues but also provide assurance.
How are checks being applied?
When building out your security programme, you’ll be using a combination of open course and commercial tools. There will likely also want to explore custom and manual checks. The balance of these checks will vary between every organisation and this will affect the makeup of your Toolkit. You choose which tools you would like in which Toolkits and you implement them where desired. From there on out, the Toolkits will automatically run checks wherever they have been added.
According to our analysis, taking a security standard such as the OWASP ASVS (Application Security Verification Standard), which has around 280 types of controls, up to 40% of those are typically going to be custom checks. This suggests that as you mature you’ll need to include an increasing number of custom checks. Thankfully, Uleska’s Toolkits enable you to add your custom tools alongside your commercial and open-source tools and bucket them in a new or existing Toolkit that can be used by all your teams.
Sourcing the right open-source or commercial tools
First things first. When building an application security programme, you don’t need to get all your tools right from the outset.
Many maturity models, such as the OWASP SAMM maturity model, suggest that you should first focus on establishing a common security baseline to automatically detect “low hanging fruit”. Automated tools are very good at identifying these easy-to-find issues that give you a level of assurance. In addition, Uleska’s features make this incredibly easy to set up and configure.
Next, you’ll likely want to customise the automated tests for each application over time. We’ve found that, generally, there are categories of projects to which you can apply the same Toolkit, saving you further time and hassle.
In essence, the more bugs that an automated process can detect, the more time experts will have to use their knowledge and creativity to focus on more complex web application threats and attacks. The flexibility of being able to change what is in your Uleska Toolkit allows you to grow your testing capabilities with ease as your estate matures.
Getting the culture right
When building a scalable, efficient security programme, your development, DevOps and security teams are going to need to work together effectively. One of the biggest challenges for DevSecOps is getting these different teams with different agendas and different priorities to work together efficiently.
The best collaboration comes from clear and open communication. To achieve this, there are a few points to consider.
- Be sure to specify who is responsible for the testing
- Clarify exactly what should be tested
- Understand when you will be automating using technology
Making this process as easy as possible means that you can achieve assurance and protection more quickly.
In addition, one way to secure a greater return on your testing tool investments is to make the process and wider usage of these tools as simple as possible. Uleska Toolkits helps you do this by enabling you to keep the security process as consistent and repeatable as possible while still allowing tech tools to differ between teams.
Building a process
Finally, when building out your security process, there are two key points to consider.
- Tool coverage - applying Uleska Toolkits and our wider orchestration capabilities enable you to easily apply a blended tool solution to your estate, resulting in increased coverage.
- Regulatory demands - regulators and auditors require certain methods around how security is conducted. The System of Record and Separation of Duties are the two underpinning principles.
what did people ask at the webinar?
“Can Uleska Toolkits include commercial scanners?”
Yes. For the commercial tools stored within the Toolkits, Uleska stores your configuration and speaks to the tool on your behalf. Uleska takes the code, packages it up and sends it in the right format to each platform. When the platforms have completed the task, Uleska then pulls the results back into your Uleska account where they will appear alongside any other tools that are included in the Toolkit.
You can also bring custom tools into your Toolkits. For example, if you have a bit of scripting that isn’t covered by an open-source or commercial tool, you can build these using docking containers. Your custom tools then appear alo ngside your open-source and commercial tools in any Toolkits that you choose to add them to. There is plenty of support documentation to help you achieve this should you wish.
“Can you get a report of the total ASVS control coverage?”
Currently, Uleska shows you the ASVS coverage of issues present. You can teach the Uleska system the ASVS categories of the various issues that are returned by the tools you run. You can then see graphs or charts of the most common vulnerabilities. This helps you identify common issues that you may want to provide further training around.
It is on the Uleska roadmap to enable you to identify what areas of a security standard that checks exist for in the tools chosen. We hope this will help during the initial stage when you are scoping which tools to include in your Toolkit but also as your programme matures.
In addition, during penetration testing, you sometimes find that the automation isn’t identifying authentication issues, third party issues, etc. This might flag that you need to plug the gap with another tool. In this case, you would layer new tools over time to ensure you’re getting as much coverage as possible.
“If an issue is found on a single app but using multiple tools within a Toolkit, is this information duplicated?”
No. The Uleska system is designed to identify when the same issues have been flagged by multiple tools and then automatically deduplicate them before reporting on your dashboard.
In terms of correlating it from code to URL, linking the static and dynamic side, this is also on the Uleska roadmap. Currently, Uleska treats these sets of tools separately but we have a system of false-positive classification such that you can tune those to your particular risk appetite over time.
Any issues flagged by Uleska as “invalid vulnerabilities” are stored so that they can be audited and corrected if necessary. You also have the ability to manually flag issues as false positives and the system will remember this should the same issue arise.
Getting started (for free)
Let’s face it, the number of tools to choose from can be overwhelming. That’s why you’ll automatically have access to Uleska-approved, tried-and-tested Open Source AppSec tools, readily-available from within your Uleska account (yes, even the free account). This will help you get started more quickly to connect the right sets of tools to your code and products.
You can get started with a free account that allows you to use all the risk testing tools you need. The free account limits your testing tools to one hundred tests in a month, which is usually plenty if you’re just getting started.
Subscribe to the Uleska blog
You may unsubscribe at any time using the unsubscribe link in the newsletter.
