Before we fully present you our DevSecOps platform, we would like to introduce you some necessary context on how we got here. In our routine at Conviso, many new customers come to us with the same problem: they have already invested time and money in a number of cyber security tools, but still feel that they do not do the job completely.
In some cases, the acquired tools require a usability that differs from an efficient development process. There are also those who report difficulties in maintaining a standard of quality in everyday activities.
However, one of the most frequent problems we have observed in our 12 years of operation in the cyber security market is that, although they acquire software and invest in competent professionals as a way to offer quality and security products and services to their clients, many companies leave application security aside. In the vast majority of these cases, the AppSec tools chosen are even great, but by themselves they do not solve all the security bottlenecks.
You can also listen to the audio version of this article – it has been recorded by a human:
In general, there are two main mistakes that many companies make when defining their cyber security strategy:
- Investing in tools that do not specifically address the appsec problem;
- Not having a platform that can centralize all the information that is important for software security…
What we see is that even companies that bet on well-defined security policies sometimes fail to worry about the applications developed specifically in their activities. This is very common because there is still a misconception among managers that only what is exposed to the Internet should be protected. And this failure can have serious consequences.
What is application security and why it should not be underestimated?
Application Security is a process that, through best practices, aims to ensure application security throughout its development process – leading to the delivery of more reliable applications and systems. In this way, it is possible to make adjustments and corrections and prevent vulnerabilities from exposing data and allowing access to system functionalities to malicious people.
The fact is that there are no completely invulnerable applications. Any application can be invaded – some more easily than others – and that’s why application security is necessary.
According to statistics from the Breach Level Index website, every 39 seconds there is hacker activity in the world. And applications are among the largest vectors of hacker attacks. It is worth remembering that, besides the headache and possible financial losses, an attack on applications can generate a huge crisis in the company, with strong economic impacts. Juniper Research estimates that the average cost of a data security breach for a large company would be over $150 million by 2020.
Once they are aware of this, it becomes each company’s obligation to protect its customers’ data in the best possible way. With the General Data Protection Act, which takes effect in August 2020, the matter becomes even more serious and liable to penalties in the event of negligence. After all, ensuring application security means investing not only in protection – but also in the reputation and longevity of the company.
What is AppSec Flow and why do we call it a DevSecOps platform?
AppSec Flow is a DevSecOps platform created by Conviso that supports the entire security cycle in software development. It was created based on the Software Assurance Maturity Model (SAMM) – a project from the Open Web Application Security Project (OWASP) portfolio that defines a series of practices with the objective of improving software security.
A curiosity about AppSec Flow is that it was born to supply an internal demand from Conviso. When implemented, it was so successful in its purpose that we saw potential to optimize the routine of other companies and decided to commercialize it.
Through its API, AppSec Flow allows integration with a series of tools widely used in the teams’ routine:
With AppSec Flow, it is possible to create standardized mechanisms (Playbooks) in order to guarantee that all teams will follow the same routine in their activities, such as performing tests.
After all, when a company can’t create mechanisms that can guarantee that its teams will follow and maintain a certain degree of standard in their activities, it becomes much more difficult to guarantee that all services performed will follow the same principle or sequence, compromising the final quality.
Therefore, one of the benefits ofour devsecops tool is that it helps to centralize the communication of security and development teams, through the integration of tools. It controls risk policies, aggregates analysis results, correlates and manages vulnerabilities, controls the correction workflow, manages deploys, controls indicators, among other features.
With this, security ceases to be a bottleneck and becomes a continuous activity, integrated to the entire software development lifecycle, with the right analyses running at the right time, within the best practices and, above all, at the speed of your business. That’s why we say Flow is a complete Continuous Application Security platform!
What are some of the advantages of AppSec Flow compared to other market options?
It is important to note that AppSec Flow has not come to replace any security software that your company has already purchased. It came to enhance the use of this software and to optimize and transform the routine of your team. It’s because none of the software your company already has is likely to be focused on the entire development cycle, making security a more efficient and structured process – Flow is the only one with that definition.
It allows teams to integrate several existing tools, making Flow a great hub of information. In addition, as it is integrated with CI/CD tools, it is one of the most complete tools to implement DevSecOps.
In addition, AppSec Flow:
- is the only global AppSec tool, with Brazilian DNA, that is focused on the entire development cycle
- It is excellent for analysis management
- Allows correlation between DAST and SAST
- It is in constant improvement
- It is used and approved by large Brazilian companies, from various sectors
How does AppSec Flow really work in practice?
We want you to have a better idea of how our product works in practice. So, in order to better demonstrate how AppSec Flow can transform the routine of your security team, we asked some customers the following question:
What did you use before you met AppSec Flow?
The answers we received contain common problems that may be happening in your company. Check it out:
Client 1: “Before we used a spreadsheet to manage vulnerabilities. However, with several teams, this information was always lost“.
It’s not uncommon to find companies that still perform information management and document test results and remediation plans through spreadsheets. As we explained in another article, this is not information management. In this situation, AppSec Flow acts as a central point of information and provides everyone with a single, structured view of application security activities.
Client 2: “Before AppSec Flow, we adopted an internally developed platform, but it was difficult to make all developers follow the same pattern“.
Here we have a similar problem, where the lack of a standard can affect the final result. Our DevSecOps platform allows playbooks to be created – that is, materials that detail the step-by-step of each activity – and that are linked to the analyses and projects. This makes it possible to maintain a pattern of execution and provides the manager with a view of the progress of the process.
Client 3: “My team did not have the visibility of the whole analysis, and I needed to pass the demands individually, which generated a lot of work and discrepancy of information”.
The dashboards provided by Flow allow everyone involved in an analysis to visualize the application security situation, since the dashboard, all information is made available in a clear and intuitive way. This optimizes time and communication between teams and ensures more satisfactory results.
(inserir imagem de um dashboard)
The features of AppSec Flow
AppSec Flow has many features, which are updated frequently as our product is constantly being improved. As there are many features, and detailing them in this article would make this material very dense, we are preparing other articles designing all the features of AppSec Flow, so we can explain how each one can help solve common problems in the day by day of security teams.
For now, take the chance to know some of them:
Our DevSecOps platform allows the creation of an inventory of each company’s applications, defining risk levels, with specific security policies.
This type of control allows companies to classify their assets by criticality focused on the business – which, in case of vulnerability corrections, can allow greater attention to the most priority assets to the business, without only focusing on the criticality of such vulnerabilities.
AppSec Flow is an AppSec tool that allows the management of analyses and projects of the most diverse types, ensuring that analyses such as Threat Modeling, Requirements Definition, Code Review are tracked and maintained in a centralized and organized way. In addition, tests such as SAST, DAST, Pentests or even SCA – Software Composition Analysis can be managed. All in an organized and centralized way.
As the platform proposes to manage the analysis performed in software, both in code and already operational applications, the structure of reports and knowledge management is kept available to the development teams. The control of the steps for the management of the vulnerability correction process supports all the steps of the correction, which provides an overview for the manager.
This feature allows you to support and manage all kinds of security analysis and software.
Our DevSecOps tool facilitates the standard and control of the methodology applied to the analysis, ensuring that all steps were performed with the registration of evidence. Thus, it is easier to ensure that the final result comes out with the desired quality. Playbooks can also be used in a variety of practices, such as Safe Architecture.
Flow has DAST, SAST, Container, Mobile and Cloud modules. In addition, it allows to create customized policies for all automated testing, integrates all security tools and CI/CD processes from the continuous integration server. AppSec Flow also provides all the indicators in the Dashboard and allows you to create action plans with analysis and playbooks.
Our DevSecOps Platform not only detects – but it also enables the management of vulnerabilities identified by various forms of analysis, categorizing and classifying them to prioritize correction based on data.
To better understand our product’s functionality, check out other articles we’ve published about it: