How to improve security tool selection and customisation with Uleska Toolkits

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

We know starting your application security (AppSec) journey can be a little overwhelming. After all, choosing your tools from scratch and setting yourself up for scalable security assurance has been a challenge. Until now.

In a recent webinar, Gary Robinson and Martin Hewitt from Uleska walked us through Uleska’s Toolkits feature that lets users easily configure AppSec tools for continued, reusable use across all of your applications. They explored what the feature is, how it can be used to simplify processes and some practical examples of how it can be used.

You can watch the webinar on-demand and explore a summary of the session below.

HubSpot Video

 

The challenges of scaling application security

There are thousands of AppSec tools available on the market. While innovation in the market has its benefits, it also presents some challenges when it comes to configuration, deployment and introduction of new tools down the line.

When building out your security programme, you will have various groups of tools and their corresponding configurations. These groups of tools can then be applied across your applications or organisations.

The manual copy of configuration

Continuous delivery, changes in technology and security requirements make attempting to manually copy a configuration across multiple applications near impossible. With this in mind, it has become increasingly important to have a clear overview of application risk before deploying software.

Testing throughout the lifecycle

Especially when you’re scaling, you’ll be testing at different times in the pipeline. This means that one project needs various test tools to be run across its lifecycle which can be a real challenge when executing this manually. Stay tuned for how Toolkits makes this a whole lot easier.

Categories of security tools

Tool coverage improvements

In addition, security teams want to iterate and improve tool coverage once these tools are onboarded. This will happen over time, which means you need to be prepared for updates to your tools and configuration.  Therefore, one way or another, new tools need to be rolled out across the organisation in response to changes in their threat environment or company policy. 

At Uleska, our mission is to streamline these kinds of processes. In addition to making it easy to bring tools together and collate results, the Toolkits product feature unlocks a fast, reusable way to manage these tools and their configurations.

 

What are Uleska Toolkits?

Toolkits are collections of AppSec tools and their associated configuration (including API keys, tuning settings and runtime parameters) that can be used and, most importantly, re-used by applications across your entire estate. 

Toolkits hugely simplify the configuration of tools and make it easy to execute these tools against an application version. Uleska Toolkits enable you to run your tools to not only find issues but also provide assurance.

How are checks being applied?

When building out your security programme, you’ll be using a combination of open course and commercial tools. There will likely also want to explore custom and manual checks. The balance of these checks will vary between every organisation and this will affect the makeup of your Toolkit. You choose which tools you would like in which Toolkits and you implement them where desired. From there on out, the Toolkits will automatically run checks wherever they have been added.

According to our analysis, taking a security standard such as the OWASP ASVS (Application Security Verification Standard), which has around 280 types of controls, up to 40% of those are typically going to be custom checks. This suggests that as you mature you’ll need to include an increasing number of custom checks. Thankfully, Uleska’s Toolkits enable you to add your custom tools alongside your commercial and open-source tools and bucket them in a new or existing Toolkit that can be used by all your teams.

How are security checks being applied?

Sourcing the right open-source or commercial tools

First things first. When building an application security programme, you don’t need to get all your tools right from the outset. 

Many maturity models, such as the OWASP SAMM maturity model, suggest that you should first focus on establishing a common security baseline to automatically detect “low hanging fruit”. Automated tools are very good at identifying these easy-to-find issues that give you a level of assurance. In addition, Uleska’s features make this incredibly easy to set up and configure. 

Next, you’ll likely want to customise the automated tests for each application over time. We’ve found that, generally, there are categories of projects to which you can apply the same Toolkit, saving you further time and hassle.

In essence, the more bugs that an automated process can detect, the more time experts will have to use their knowledge and creativity to focus on more complex web application threats and attacks. The flexibility of being able to change what is in your Uleska Toolkit allows you to grow your testing capabilities with ease as your estate matures.

 

Getting the culture right

When building a scalable, efficient security programme, your development, DevOps and security teams are going to need to work together effectively. One of the biggest challenges for DevSecOps is getting these different teams with different agendas and different priorities to work together efficiently. 

The best collaboration comes from clear and open communication. To achieve this, there are a few points to consider.

  • Be sure to specify who is responsible for the testing
  • Clarify exactly what should be tested
  • Understand when you will be automating using technology

Making this process as easy as possible means that you can achieve assurance and protection more quickly.

In addition, one way to secure a greater return on your testing tool investments is to make the process and wider usage of these tools as simple as possible. Uleska Toolkits helps you do this by enabling you to keep the security process as consistent and repeatable as possible while still allowing tech tools to differ between teams.

DevSecOps Culture

Building a process

Finally, when building out your security process, there are two key points to consider.

  1. Tool coverage - applying Uleska Toolkits and our wider orchestration capabilities enable you to easily apply a blended tool solution to your estate, resulting in increased coverage.
  2. Regulatory demands - regulators and auditors require certain methods around how security is conducted. The System of Record and Separation of Duties are the two underpinning principles.

what did people ask at the webinar?

 

“Can Uleska Toolkits include commercial scanners?”

Yes. For the commercial tools stored within the Toolkits, Uleska stores your configuration and speaks to the tool on your behalf. Uleska takes the code, packages it up and sends it in the right format to each platform. When the platforms have completed the task, Uleska then pulls the results back into your Uleska account where they will appear alongside any other tools that are included in the Toolkit. 

You can also bring custom tools into your Toolkits. For example, if you have a bit of scripting that isn’t covered by an open-source or commercial tool, you can build these using docking containers. Your custom tools then appear alo ngside your open-source and commercial tools in any Toolkits that you choose to add them to. There is plenty of support documentation to help you achieve this should you wish. 

“Can you get a report of the total ASVS control coverage?”

Currently, Uleska shows you the ASVS coverage of issues present. You can teach the Uleska system the ASVS categories of the various issues that are returned by the tools you run. You can then see graphs or charts of the most common vulnerabilities. This helps you identify common issues that you may want to provide further training around. 

It is on the Uleska roadmap to enable you to identify what areas of a security standard that checks exist for in the tools chosen. We hope this will help during the initial stage when you are scoping which tools to include in your Toolkit but also as your programme matures. 

In addition, during penetration testing, you sometimes find that the automation isn’t identifying authentication issues, third party issues, etc. This might flag that you need to plug the gap with another tool. In this case, you would layer new tools over time to ensure you’re getting as much coverage as possible.

“If an issue is found on a single app but using multiple tools within a Toolkit, is this information duplicated?”

No. The Uleska system is designed to identify when the same issues have been flagged by multiple tools and then automatically deduplicate them before reporting on your dashboard.

In terms of correlating it from code to URL, linking the static and dynamic side, this is also on the Uleska roadmap. Currently, Uleska treats these sets of tools separately but we have a system of false-positive classification such that you can tune those to your particular risk appetite over time. 

Any issues flagged by Uleska as “invalid vulnerabilities” are stored so that they can be audited and corrected if necessary. You also have the ability to manually flag issues as false positives and the system will remember this should the same issue arise.

 

Getting started (for free)

Let’s face it, the number of tools to choose from can be overwhelming. That’s why you’ll automatically have access to Uleska-approved, tried-and-tested Open Source AppSec tools, readily-available from within your Uleska account (yes, even the free account). This will help you get started more quickly to connect the right sets of tools to your code and products.

Welcome to Uleska Product

You can get started with a free account that allows you to use all the risk testing tools you need. The free account limits your testing tools to one hundred tests in a month, which is usually plenty if you’re just getting started.

Get started now

 

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog
Tools

Open Source Security Testing Tools

Security tools are an essential part of software development today, especially with the ever-increasing number of attacks we see every year....

Security

Security Orchestration Automation and Response (SOAR)

Security teams frequently struggle with the volume of alerts and issues they are tasked with daily. On average, most enterprises receive between...

Security

Secure Software Development Life Cycle

Software development has evolved into an incredibly complex machine, with several moving parts to keep track of. Teams get more extensive, and...

Security

Application Security Orchestration & Correlation

Application Security is a constantly evolving industry, with new threats and methods to combat them appearing regularly. One of the more recent...

Collaboration

Top 5 AppSec Productivity Hacks 2022

The application security (AppSec) industry moves fast. Development, security and operations (DevSecOps) practitioners are having to find creative...

Application Security

What is Application Security? A Beginner’s Guide

What is Application Security? Application Security is defined by developing, adding, and testing security features in an application or website....

Security

Vulnerability Assessments in Application Security

Did you know that over 79% of developers surveyed in 2020 stated their applications had 20 or more vulnerabilities on average? As the digital world...

Security

Defining and breaking down Vulnerability Management

No system is perfectly secure, as proven by software analysis firm CAST, which reviewed 278 million lines of code and discovered more than 1.3...

Company News, Featured

Toolkits: Taking the guesswork out of security tool selection and customisation

There are thousands of amazing AppSec tools out there, but this can be both a blessing and a curse. While the headway and innovation we are seeing...

DevSecOps

How to eliminate risk when scaling application security

Building robust application security is a lot like building a house—you want it done thoroughly, without any missing parts. However, there is a...

Security

What is the OWASP Top 10 and how to use it?

Cybersecurity has been a rising concern in the last decade. In 2021, researchers have seen 50% more attacks per week on corporate networks compared...

Security

What is Shift Left? Ultimate Guide to Shift Left Security

With today’s fast development speeds, it’s hard to keep up with security practices for some organisations. This is especially true in the last few...

Security

What is Software Composition Analysis?

Open-source software has become a vital part of development in the last decade. However, utilising these components often comes with several caveats,...

DevSecOps

DevSecOps tool examples that will alleviate your workload

The saying goes: “Many hands make light work.” Nowhere is this more apparent than in DevSecOps where developers and releases outnumber security...

DevSecOps

What is CI/CD? A Complete Guide to CI/CD

Software development cycles have changed immensely in the last ten years. New practices and design philosophies are being tried every day. One of...