In an era dominated by Digital Transformation, consumers have come to expect digital applications embedded in their lives, almost as an extension of themselves. The pressure of producing new features to keep and attract customers puts pressure on an organisation’s risk and security program.

To strike a balance between releasing the latest digital capabilities and maintaining security, software testing will be very important.

The strength of any software testing processes play a crucial role in ensuring business continuity, otherwise, any downtime leads to a loss of revenue, reputational harm and penalty for GDPR non-compliance. 

However, businesses hesitate to invest in cyber security testing programs because it increases their IT costs, without adding to the company’s bottom line.

There are also a lot of cyber security programs that are complex, inefficient, and might not reduce a company’s risk in any measurable way. 

Modern software processes can create new software features faster than ever, yet the vast majority of security processes can’t keep up. It is a huge gamble to produce code in this speedy and inefficient manner. 

Any software bug could lead to errors that bring down services, however, security bugs are much more likely to cause serious harm or downtime. 

Gartner analysts have estimated that the average cost of downtime is £4,500 a minute for organisations, never mind the reputational damage that a major data breach could have due to poorly tested code.

As organisations switch to DevOps and Agile models or move through Digital Transformation, providing software updates quickly, software teams can continually release new features and often push code updates as fast as they’re written.

What could go wrong?

This pressure leads to security bugs not being discovered or fixed within the code and numerous problems for organisations, including major fines, with regulatory environments, such as GDPR or the Singapore MAS (Monetary Authority of Singapore), pushing more emphasis on ongoing security checks and assurance.

This has led too many companies questioning, ‘How can we reduce the software risks in our daily software and features, whilst protecting ourselves from the trend of serious data breaches and downtime?’ 

Well, let’s see the current best practices and options:

  • Testing – Continual security testing, helps companies continue the speed of development whilst mitigating against real-time business risks. Gartner states that wrapping security into DevOps and Agile, “integrates security tooling across a software development life cycle (SDLC), typically as part of DevSecOps initiatives.”
  • Risk analysis – Combining this continual testing with integrated cyber risk analysis, allows companies to instantly understand both the technical and the business risk aspects, of the software they are developing today. Armed with this information, companies can reduce their cyber risk, reduce IT costs, and reduce the cost of compliance, much more than their competitors.
  • Automation  – At the technical level, this means automating and integrating all the security tools that an organisation would need to test throughout the SDLC. This can be difficult to achieve, yet when it’s achieved it makes software development application vulnerability testing much more efficient, and even reduces the complexity of these technical aspects.  
  • Transparency – The resulting prioritisation of remediation helps executives manage risk throughout all software in their organisation.
  • Collaboration – This frequent and effective security testing helps development and operations teams in coordinating the many security tests that should be performed on code. As such, continual security testing and risk analysis, solutions can be a significant enabler in implementing speed of development and secure code, taking the pressure off developers and keeping an organisation up-to-date.

Top Tips

Gartner also states six principles of trust and resilience that could help you to manage the security behind quickly released software.

Image result for Gartner also states six principles of trust and resilience

The six principles are as follows:

  • Stop focusing on check-box compliance, and shift to risk-based decision making. 
  • Stop solely protecting infrastructure, and begin supporting business outcomes.
  • Stop being a defender, and become a facilitator. 
  • Stop trying to control information, and determine how it flows, accept the limits of technology and become people-centric.
  • Stop trying to perfectly protect your organisation, and invest in detection and response. 
  • Move from controlling the flow of information to understanding how information flows

There are also various principle guidances provided by NCSC which can also give you a better assessment of your security posture based on your current rate of software deployment.

Digital transformation is re-shaping industries at an incredible pace. It’s designed to reduce IT costs and provide faster time to value. All too often security becomes a blocker to this transformation. To halt this innovative movement would be to halt progress and give the advantage to your competitors. By slowing down the development of software, we are hindering the capabilities of technology, which isn’t what we need. 


Instead, a centralised security testing system giving organisations a simplistic and efficient way to report and remediate issues could help save businesses from further disruption. 

Regulatory landscapes are changing at an unprecedented rate, therefore, understanding and reporting these issues in a clear manner can create a security conscious, communicative business model, creating larger budgets for security teams in the process.

If these challenges apply to you, contact Uleska to learn more about how the Uleska Platform automates security testing and risk analysis, while the Uleska Consulting team deliver efficient and effective technical security consulting.

Uleska partners with Veracode to help businesses in UK and worldwide scale application security and automate security testing.

LONDON, UK – Oct. 04, 2019Uleska, a web-based platform which examines a software application to be built, along with security regulations, and proactively generates necessary software security checks and reports, today announced it has signed an agreement to partner with Veracode, a global software security leader.

Uleska is now an Authorized Reseller of the Veracode platform, allowing Uleska to help its customers combat modern security threats by managing and automating a range of security testing tools, including Veracode’s innovative application security solutions.  

Veracode’s SaaS platform, which includes static analysis, dynamic analysis, software composition analysis (SCA), and manual penetration testing, assists developers with finding and fixing security-related defects throughout the software development lifecycle. The platform offers a holistic, scalable approach to AppSec in one centralized view. It allows businesses to identify and resolve critical vulnerabilities while ensuring regulatory compliance without sacrificing speed or innovation.

The partnership is based on shared vision of secure software development. Veracode and Uleska help companies make security a seamless part of the development process. This allows them to both find and fix security defects so that they can use software to achieve their missions, which aligns with Uleska’s core values as a software security organisation.

Why Uleska and Veracode?

Software has transformed the way we conduct a range of incredibly important tasks and fuels the operations of businesses in every sector. Yet most software contains flaws. According to Veracode’s State of Software Security (SoSS) report, more than 85 per cent of all applications have at least one vulnerability in them; more than 13 per cent have at least one critical severity flaw.

The new role of software and today’s development paradigms is now key to effective information security.

Uleska, ultimately, understands that without innovative software security measures and clear communication amongst executives, software vulnerabilities could exposed sensitive data or lead to a costly data breach.

Uleska’s groundbreaking Cyber Value-at-Risk Reporting, driven by the risk and compliance needs of the organisation, is complemented by technical security testing that can be automatically achieved.

As a Veracode partner, Uleska can provide an accurate view of software security vulnerabilities and recommendations for fixing them, allowing companies to create secure software. Uleska is incredibly excited about this opportunity and views the partnership as an avenue to continued success in the rapidly growing global application security market.

About Veracode

With its combination of automation, process, and speed, Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realize the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code. 

Veracode serves more than 2,100 customers worldwide across a wide range of industries. The Veracode Platform has assessed more than 10 trillion lines of code and helped companies fix more than 36 million security flaws.

Learn more at, on the Veracode blog and on Twitter.

The Threat Landscape

80 per cent of web applications contain at least one security bug, with an average of 45 vulnerabilities per application. 

OWASP, an international non-profit organization dedicated to web application security, have a top 10 vulnerability list. 

An SQL injection, malware code injected into a database to copy, corrupt, re-purpose data use, or destroy data, is still the number one risk for an enterprise.

Criminals Follow the Money 

For the last seven and a half years, the Uleska team has seen a common theme – criminals follow the money. Since consumers are buying and selling online, then the criminals have naturally moved online too.

In 2017, at Digital DNA, there was a panel giving cyber security tips for local businesses – a pro bono consultancy workshop on how to best protect their digital assets from threat actors. 

What made the Uleska team concerned was how many other local businesses had been through a damaging experience and how many more will.

After the panel, several business owners said, they too, had been the victims of hacks/breaches and what should they do? The correct response is to contact the ICO.


Also remember, this panel was one year before the legislation would penalise companies for data breaches and hacks – GDPR. 

We live in different times now, post GDPR and we are already seeing the size of fines imposed on companies by the Information Commissioner’s Office (ICO) skyrocket – it is more like a hockey stick increase. 

Let’s take one example – British Airways – their data breach took place last summer and was a formjacking compromise – malicious code was injected into a form on their website to scrape user’s details, including credit card numbers.


The ICO has just levied a fine of BA of £183m – Yes, you read that correctly, one hundred and eighty-three million pounds. The previous maximum fine in the UK under the Data Protection Act (1998) was a more modest £500k. 

One interesting thing to point out was that the BA hack was a supply-chain hack – one of their suppliers was compromised, not BA directly, but the ICO ruled that BA was responsible for end-user data and not the third party.

“Death and taxes” are only certainties in life? Add to that “Data breaches and ICO fines” in this post-GDPR world.

Information Commissioner Elizabeth Denham said: 

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. 

Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

BA fined record amount for data breach.

A Strong Message to all Data Controllers

Therefore, the industry has seen a change – the fine imposed was for a lack of preparation, rather than lack of response to an attack. The ICO did not impose the maximum fine at their disposal, BA was charged one and a half per cent of their global annual turnover for the year ending 31 December 2018.

Diane Yarrow, partner and commercial solicitor at award-winning law firm Gardner Leader solicitors commented: 

The penalty is substantial. There are various factors considered when setting the level of the fine which includes; the number of people affected and the level of damage suffered, the negligent character of the infringement, degree of responsibility of the controller and the categories of personal data affected by the infringement amongst other things. 

Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty sending a strong message to all data controllers.”

Your Supply Chain – “their risk is your risk”

In recent years we have seen multiple talks from academics about the threat to businesses from their own supply chains, a topic to be discussed in greater detail in a future blog post.

How can you be sure of the uniqueness of your code? Most code is not custom code (built by your own team), it comes from code libraries.

This is where the vulnerabilities are introduced. This is how the BA hack happened in 2018. The hacker’s strategy was to target the smaller supplier (code library), a software component to get to the actual target (BA).

The website was hacked and replaced with something that collected the personal and financial information of the user.

Uleska, your comfort blanket

Wrapping up, Uleska is here to help your business with your application security scalability challenge.

Uleska can remove the repetitive, manual configuration for each scan and automate this.

By scanning code to match your software deployment schedule; testing more frequently removing more of the vulnerabilities than waiting until the end of your SDLC, you can bolster your organisation’s security scope. Uleska can recommend fixes for your development teams, on-site, offshore or suppliers.

Uleska will also give you your value at risk – how much each vulnerability will cost you, in the event of a data breach, based on information from the FAIR Institute, in conjunction with one of the big four. 

Uleska News 

Before getting into some of the latest industry news, Uleska is delighted to announce the newest member of the team, Ed Montgomery. Ed has a wealth of experience in the cyber security industry and is the new Account Director for Uleska, as well as an editorial contributor. 

Ed has expressed his excitement about Uleska’s unique value at risk reporting, with the translation of vulnerabilities put into financial value to help companies prioritise the triage of web apps, he can’t wait to immerse himself within the ever-expanding Uleska community. 

So, if you have a question about any of the Uleska products or any of the topics discussed then please contact

Uleska can help you continously secure your software whilst also

With the recent news of BA facing a record fine of £183m for last year’s data breach, 1.5 per cent of its revenue, organisations need to consider how to avoid a similar fate.

It is believed that the way the hackers accessed the information of an estimated half a million people, according to the Information Commissioner’s Office (ICO), was through a vulnerability in third party JavaScript used on the website.

Third party failure is also widely accepted as the reason for the Ticketmaster data breach that occurred in 2018. So, as we can see, this kind of attack can have major financial consequences when it comes to infiltrating huge organisations. And of course, the damage to the brand and reputation.

BA may be surprised and disappointed by the recent decision, however, the real question is how can we prevent such an attack, and the resulting fine happening again when organisations rely on third party vendors?

A recent Freedom of Information request to the Financial Conduct Authority (FCA) revealed that between January 2018 and December 2018 there were 174 third party failures for businesses in the UK.

The figure has already soared to 79 between January 2019 to May 2019, with some also suggesting that under reporting of issues still makes these figures inaccurate.

BA may have acted quickly when the breach came to light, but unfortunately the ICO doesn’t care how quickly you react. The regulation is in place so customers can safely enter credit card details and personal information on a site or app and not have a malicious JavaScript code potentially harvest their sensitive data.

One of the points of introducing GDPR was so that businesses act proactively regarding cyber security, creating a way to suppress third party attacks, but unfortunately the frequency of these has not stalled.

There are tremendous benefits to be gained from embracing supply chain methods for your organisation and customers. Today’s competitive business environment demands it. But strong governance is a must when it comes to sourcing and using third parties.

Some of the way’s practitioners have advised defending against third party attacks comes in the form of credit card processing, cloud storage, document management software and single sign-on solutions.

Evaluating the security and privacy policies of all third-party suppliers, means the likelihood of a breach falls dramatically. Once you understand all the vendors and which of them have access to sensitive data, a variety of tools are available to help assess the level of their security.

Uleska has been able to defend against third party failures by orchestrating security tools to check all third party code, even if changes have been made to it. This means that all third party vendors can sell with confidence to major clients knowing that their code is continuously being checked, and the relevant people are being notified about any new, or existing, vulnerabilities.  

This method has allowed us to continually secure from third party attacks in an efficient manner, conducive with reducing the number of serious data breaches that can affect some of the world’s top organisations.

Understanding where risks lie within your digital ecosystem, tailoring controls according to those risks, and collaborating with their third parties to remediate and mitigate those risks could be just one of the many ways that your organisation combats third party failures.

For further information on third party attacks and failures you can join us at the next Uleska webinar, which will be covering the topic in more depth. Contact for full details of the registration process.

Infosecurity Europe 2019, held in the Olympia, London, is a leading event in the cyber security calendar bringing business, tech and communities together. Uleska CEO and founder Gary Robinson was a speaker at the event, addressing two prevalent cyber issues, whilst Uleska exhibited to a plethora of cyber practitioners. Here are just some of the key trends Uleska noticed throughout the event.

Automation and orchestration continues to be a trend that is driving the wider cyber security industry. On the security operations side, Security Orchestration, Automation, and Response (SOAR) is gaining a firm foothold in the organisation’s mindsets.

In contrast to the software security side, Application Security Testing and Orchestration (ASTO) is a few years behind SOAR, yet the success of SOAR is helping organisations’ see the value of ASTO.

Numerous visitors to the Uleska booth were attracted by an independent (i.e. non-tool vendor) view of the coverage provided by combinations of technical tooling against their security standards and regulations they need to meet. 

Many security tool vendors will have marketing departments which promise to cover every technical issue, yet the industry realises this is not the case.  While organisations accept that no one tool will fix everything, they are finding it hard to get independent advice as to what tool coverage they do need.

Chief Risk Officers (CROs) have to deal with a lot of data. Cyber security has fought for years to get onto both the board and risk agendas and is now a firmly placed issue that must be addressed.

However, CROs have many aspects to consider. From finance, human resources, natural disasters, and geopolitics, with cyber security being one more issue to be addressed on that list.

Yet within each aspect, there are many subplots, such as for cyber, ransomware, viruses, network security, infrastructure security, application security, and more.

As previously mentioned, this means that each element the CRO has to manage, measure, and report on has to be succinct – the best case being one number of stats that shows the current state, impact, and whether things are getting better or worse. 

Application security has historically been awful at this, throwing thousands of technical issues and high/medium/lows to describe the current state, which is simply not consumable for a CRO.

Cyber value-at-risk, culminating in a single monetary risk number that changes with the real risk in the software estate, provides such a measure that CROs can work with.

Many organisations are interested in maturing to a ‘standards-based approach’ to security testing, instead of a ‘tools based approach’. 

This means they are looking at the standards and regulations they need to adhere to, and asking “Which tools and processes can be combined to provide as much coverage of these as possible?”. 

This is a much more comprehensive approach than previous doctrine which started with using one or two tools or processes, allowing them to find issues towards the end of a project, fixing those issues, and then assuming all standards and regulations were covered.

All /processes were aligned to the standards and regulations. this without doing any analysis of how those tools. This has led to blind spots in their technical programs which led to breaches.