How Uleska Makes DevSecOps Quick and Easy

Whether you're using our SaaS platform, or hosting it in-house, you can save time and money checking the security of your software.  Everything can be done through our user interface, or our fully featured API. Here's an overview of how it works:

1) Easy setup

Just tell the Uleska DevSecOps Platform some information about your application and it'll do the rest:

  • For code scanning, enter the GIT repository where the code is stored.
  • For dynamic testing, enter the URL of the system to be tested, and credentials to login (we'll pass them onto the security tools).
  • If you want to do both code scanning and dynamic testing, that's all good. Just enter both items above and they'll all be run.
  • Select the security tools you want to run, and you're good to go. (note tool pipeline groupings are coming soon - e.g. 'Test Java", etc.)

If you want to hook into Jira or Slack systems, or add pictures/text/logos to your generated reports, you can go ahead and do that too for all your applications.

2) Trigger your testing

How you run your security testing is up to you. Maybe you want to kick it off manually during a project, maybe you want a set of security tests upon a pull request, or maybe you want security testing wrapped into the DevOps process. You can do any of these, and mix and match between different projects or builds as suits.

You can configure different sets of security tests for different stages of development. Kicking off a suite of security tests comes down to a single API call, meaning you can:

  • Use a Jenkins plugin so your DevOps pipeline always includes a call to kick off your suite of security tests before going live.
  • Use a commit trigger to kick off a different set of tests during pull requests.
  • Start security testing anytime using our User Interface, or a Slack trigger.

Got other ways you want to start testing, just let us know - the stranger the better!  We've even hooked up to an Alexa skill to run testing from voice commands for fun.

3) Let the security testing run

Look mom, no hands! The Uleska DevSecOps Platform automates and orchestrates the security tools to check your software through our tool integrations. This makes security testing easy.  You don't need a security expert to give you results, just point and click.  We've had many untrained people run extensive security testing using our system, including one of our teams' 12 year old daughters (though that's because she's really smart).

Note these security can include the fullest featured commercial tools, down to single custom tools you've created, and everything in between. Check out the many great open source security tools that penetration testers use every day (and did we mention they're free?).

4) Collect results

Since the Uleska DevSecOps Platform is automating and orchestrating, it collects all the results from all of your tools and brings them into one place. Each test run is recorded and compared against previous runs (see later).

This saves your team from copy/pasting from those two appsec tools, that cloud check, the network scanning tool, the two container checking systems, and those 8-10 security scripts Dave and Diane wanted run every time after that 'incident'.

5) Auto-Triage

It's never fun to triage. It's even less fun to do it over and over again.  Some commercial tools allow you to set false positives, but most security tools out there don't.

The Uleska DevSecOps Platform implements a number of features that helps you save time, and introduce consistency, on issue triaging:

  • False Positive Handling: issues returned to the platform can be set as a false positive, no matter what tool or script they come from. False positives are still kept in the background (encase there's any mistakes) but don't get reported or counted in stats.
  • Stick False Positives: you should only have to set a false positive once, and that's the case here. When you set a false positive (again, doesn't matter where it came from), the next time you run the security test and that tool reports the same issue, the Uleska DevSecOps Platform automatically sets it as false positive again.  This is a massive time saver.
  • Removing Duplicates: some tools are noisy, and running many tools increases the chances of the same issue being returned many times. The Uleska Platform UI makes it easy to mark many issues as duplicates of an issue, meaning you only see the one. Just like false positives, this is stickly, meaning future security test runs have their duplicates handled.
  • Advisories: do you ever get tired of saying the same thing over and over again?  When the same issues crop up across many applications or teams, the time taken to advise on the issue or fix adds up. However now you can set an advisory, i.e. a description of how to fix an issue, that's relevant to your team or company, and it will automatically be included in DevOps messages and reports for every team. Tell them how to fix it such as "Use the SQL wrapper library Dave created", or "Go here for our Kubernetes hardening advice".  Be as detailed as you like.

6) Results and Reports

When the security testing has been automatically triggered,  run, collected, & triaged, the reports and updates are automatically generated (because who wants to manually create these?).

Updates are sent to Jira or Slack (more integrations coming), results can be polled from DevOps systems over the API so you can see if anything major has been introduced before going live, and customizable PDF (or CSV) security reports can be generated to share with stakeholders or clients.

Furthermore, statistics are also generated showing issues/risk for teams and applications, showing trends over time, showing the most often occurring risks, or how your matching up against regulations (depends on your plan). All of this is available through our UI, API, or GraphQL interfaces.