In an era dominated by Digital Transformation, consumers have come to expect digital applications embedded in their lives, almost as an extension of themselves. The pressure of producing new features to keep and attract customers puts pressure on an organisation’s risk and security program.

To strike a balance between releasing the latest digital capabilities and maintaining security, software testing will be very important.

The strength of any software testing processes play a crucial role in ensuring business continuity, otherwise, any downtime leads to a loss of revenue, reputational harm and penalty for GDPR non-compliance. 

However, businesses hesitate to invest in cyber security testing programs because it increases their IT costs, without adding to the company’s bottom line.

There are also a lot of cyber security programs that are complex, inefficient, and might not reduce a company’s risk in any measurable way. 

Modern software processes can create new software features faster than ever, yet the vast majority of security processes can’t keep up. It is a huge gamble to produce code in this speedy and inefficient manner. 

Any software bug could lead to errors that bring down services, however, security bugs are much more likely to cause serious harm or downtime. 

Gartner analysts have estimated that the average cost of downtime is £4,500 a minute for organisations, never mind the reputational damage that a major data breach could have due to poorly tested code.

As organisations switch to DevOps and Agile models or move through Digital Transformation, providing software updates quickly, software teams can continually release new features and often push code updates as fast as they’re written.

What could go wrong?

This pressure leads to security bugs not being discovered or fixed within the code and numerous problems for organisations, including major fines, with regulatory environments, such as GDPR or the Singapore MAS (Monetary Authority of Singapore), pushing more emphasis on ongoing security checks and assurance.

This has led too many companies questioning, ‘How can we reduce the software risks in our daily software and features, whilst protecting ourselves from the trend of serious data breaches and downtime?’ 

Well, let’s see the current best practices and options:

  • Testing – Continual security testing, helps companies continue the speed of development whilst mitigating against real-time business risks. Gartner states that wrapping security into DevOps and Agile, “integrates security tooling across a software development life cycle (SDLC), typically as part of DevSecOps initiatives.”
  • Risk analysis – Combining this continual testing with integrated cyber risk analysis, allows companies to instantly understand both the technical and the business risk aspects, of the software they are developing today. Armed with this information, companies can reduce their cyber risk, reduce IT costs, and reduce the cost of compliance, much more than their competitors.
  • Automation  – At the technical level, this means automating and integrating all the security tools that an organisation would need to test throughout the SDLC. This can be difficult to achieve, yet when it’s achieved it makes software development application vulnerability testing much more efficient, and even reduces the complexity of these technical aspects.  
  • Transparency – The resulting prioritisation of remediation helps executives manage risk throughout all software in their organisation.
  • Collaboration – This frequent and effective security testing helps development and operations teams in coordinating the many security tests that should be performed on code. As such, continual security testing and risk analysis, solutions can be a significant enabler in implementing speed of development and secure code, taking the pressure off developers and keeping an organisation up-to-date.

Top Tips

Gartner also states six principles of trust and resilience that could help you to manage the security behind quickly released software.

Image result for Gartner also states six principles of trust and resilience

The six principles are as follows:

  • Stop focusing on check-box compliance, and shift to risk-based decision making. 
  • Stop solely protecting infrastructure, and begin supporting business outcomes.
  • Stop being a defender, and become a facilitator. 
  • Stop trying to control information, and determine how it flows, accept the limits of technology and become people-centric.
  • Stop trying to perfectly protect your organisation, and invest in detection and response. 
  • Move from controlling the flow of information to understanding how information flows

There are also various principle guidances provided by NCSC which can also give you a better assessment of your security posture based on your current rate of software deployment.

Digital transformation is re-shaping industries at an incredible pace. It’s designed to reduce IT costs and provide faster time to value. All too often security becomes a blocker to this transformation. To halt this innovative movement would be to halt progress and give the advantage to your competitors. By slowing down the development of software, we are hindering the capabilities of technology, which isn’t what we need. 


Instead, a centralised security testing system giving organisations a simplistic and efficient way to report and remediate issues could help save businesses from further disruption. 

Regulatory landscapes are changing at an unprecedented rate, therefore, understanding and reporting these issues in a clear manner can create a security conscious, communicative business model, creating larger budgets for security teams in the process.

If these challenges apply to you, contact Uleska to learn more about how the Uleska Platform automates security testing and risk analysis, while the Uleska Consulting team deliver efficient and effective technical security consulting.

Uleska partners with Veracode to help businesses in UK and worldwide scale application security and automate security testing.

LONDON, UK – Oct. 04, 2019Uleska, a web-based platform which examines a software application to be built, along with security regulations, and proactively generates necessary software security checks and reports, today announced it has signed an agreement to partner with Veracode, a global software security leader.

Uleska is now an Authorized Reseller of the Veracode platform, allowing Uleska to help its customers combat modern security threats by managing and automating a range of security testing tools, including Veracode’s innovative application security solutions.  

Veracode’s SaaS platform, which includes static analysis, dynamic analysis, software composition analysis (SCA), and manual penetration testing, assists developers with finding and fixing security-related defects throughout the software development lifecycle. The platform offers a holistic, scalable approach to AppSec in one centralized view. It allows businesses to identify and resolve critical vulnerabilities while ensuring regulatory compliance without sacrificing speed or innovation.

The partnership is based on shared vision of secure software development. Veracode and Uleska help companies make security a seamless part of the development process. This allows them to both find and fix security defects so that they can use software to achieve their missions, which aligns with Uleska’s core values as a software security organisation.

Why Uleska and Veracode?

Software has transformed the way we conduct a range of incredibly important tasks and fuels the operations of businesses in every sector. Yet most software contains flaws. According to Veracode’s State of Software Security (SoSS) report, more than 85 per cent of all applications have at least one vulnerability in them; more than 13 per cent have at least one critical severity flaw.

The new role of software and today’s development paradigms is now key to effective information security.

Uleska, ultimately, understands that without innovative software security measures and clear communication amongst executives, software vulnerabilities could exposed sensitive data or lead to a costly data breach.

Uleska’s groundbreaking Cyber Value-at-Risk Reporting, driven by the risk and compliance needs of the organisation, is complemented by technical security testing that can be automatically achieved.

As a Veracode partner, Uleska can provide an accurate view of software security vulnerabilities and recommendations for fixing them, allowing companies to create secure software. Uleska is incredibly excited about this opportunity and views the partnership as an avenue to continued success in the rapidly growing global application security market.

About Veracode

With its combination of automation, process, and speed, Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realize the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code. 

Veracode serves more than 2,100 customers worldwide across a wide range of industries. The Veracode Platform has assessed more than 10 trillion lines of code and helped companies fix more than 36 million security flaws.

Learn more at, on the Veracode blog and on Twitter.

Infosecurity Europe 2019, held in the Olympia, London, is a leading event in the cyber security calendar bringing business, tech and communities together. Uleska CEO and founder Gary Robinson was a speaker at the event, addressing two prevalent cyber issues, whilst Uleska exhibited to a plethora of cyber practitioners. Here are just some of the key trends Uleska noticed throughout the event.

Automation and orchestration continues to be a trend that is driving the wider cyber security industry. On the security operations side, Security Orchestration, Automation, and Response (SOAR) is gaining a firm foothold in the organisation’s mindsets.

In contrast to the software security side, Application Security Testing and Orchestration (ASTO) is a few years behind SOAR, yet the success of SOAR is helping organisations’ see the value of ASTO.

Numerous visitors to the Uleska booth were attracted by an independent (i.e. non-tool vendor) view of the coverage provided by combinations of technical tooling against their security standards and regulations they need to meet. 

Many security tool vendors will have marketing departments which promise to cover every technical issue, yet the industry realises this is not the case.  While organisations accept that no one tool will fix everything, they are finding it hard to get independent advice as to what tool coverage they do need.

Chief Risk Officers (CROs) have to deal with a lot of data. Cyber security has fought for years to get onto both the board and risk agendas and is now a firmly placed issue that must be addressed.

However, CROs have many aspects to consider. From finance, human resources, natural disasters, and geopolitics, with cyber security being one more issue to be addressed on that list.

Yet within each aspect, there are many subplots, such as for cyber, ransomware, viruses, network security, infrastructure security, application security, and more.

As previously mentioned, this means that each element the CRO has to manage, measure, and report on has to be succinct – the best case being one number of stats that shows the current state, impact, and whether things are getting better or worse. 

Application security has historically been awful at this, throwing thousands of technical issues and high/medium/lows to describe the current state, which is simply not consumable for a CRO.

Cyber value-at-risk, culminating in a single monetary risk number that changes with the real risk in the software estate, provides such a measure that CROs can work with.

Many organisations are interested in maturing to a ‘standards-based approach’ to security testing, instead of a ‘tools based approach’. 

This means they are looking at the standards and regulations they need to adhere to, and asking “Which tools and processes can be combined to provide as much coverage of these as possible?”. 

This is a much more comprehensive approach than previous doctrine which started with using one or two tools or processes, allowing them to find issues towards the end of a project, fixing those issues, and then assuming all standards and regulations were covered.

All /processes were aligned to the standards and regulations. this without doing any analysis of how those tools. This has led to blind spots in their technical programs which led to breaches.

Uleska recently exhibited at CyberUK 2019 in Glasgow’s Scottish Event Campus. The event highlighted the progress that needs to be taken within cyber security and showcased innovative solutions currently on the market. Here are Uleska’s top five takeaways from the event.

CyberUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors.

The conference showcased evolving cyber threats that face the UK and how we must respond as individuals and organisations to keep cyber security one step ahead of malicious hackers.

Here are our top five security trends.

1) Many companies are in need of faster and more frequent software security checks and assurance.

In today’s software-driven climate, major companies are releasing software updates thousands of times a day. Amazon, for example, was doing a production deployment every 11.6 seconds in 2013.

Current testing to determine the weaknesses within an application can take months, and with software releases being pushed so frequently the traditional processes simply cannot guarantee software security.

This lack of speed and frequency can lead to release and security management practices being ignored. Akin to building skyscrapers from the same materials we used to build huts, if this continues we can expect software to continue to randomly, and catastrophically, fail.

The need for faster and more frequent security testing has also been pointed at the skills gap within cyber.

Gillian Arnott, International Communications and Marketing Manager, and Nick Chaffey, Chief Executive UK and Europe for Northrop Grumann asked the question of how we are going to meet the government target of filling 1.2m new technical roles.

Through engaging, educating and enthusing a new generation of cyber security practitioners, they are confident that they can capture new ability to push for innovative ways to test faster and more frequently.

2) Automation and orchestration of software security is moving from industry advisories, such as Gartner and Forrester, into everyday practice by industry.

Both Gartner and Forrester input’s into the importance of automation and orchestration within security testing has gone from advice to everyday practice.

Last year, for example, Gartner advised that by 2020 15 per cent of organisations with five or more IT security professionals will be using automation and orchestration tools to security test.

This advice has already started to work its way into best practices and many are taking the ASTO approach to security testing.

Speaking at CyberUK Cyber Security Partner at PwC, Colin Slater, backed up their everyday practices coming to fruition. He spoke about automation and orchestration services letting organisations hunt the threats they need to focus on, not just the alerts.

3) Consulting organisations servicing the public sector are being asked to innovate around their services, due to pressures on time, scope, and pricing.

The public sector faces a multitude of pressures, not least the financial challenge of shrinking budgets and increased expectations of service users.

Due to the speed of software development, the increasing scope of vulnerabilities and the expense of traditional security testing, public sector serving security companies are having to change the way they approach security testing and operations.

4) Regulatory concerns, in terms of breach fines, continue to be the largest driving factor in the procurement of cyber security services.  However, with more and more public sector initiatives involving software, the scale of this challenge is growing fast.

If a data breach doesn’t kill your business, the fine might.

Breaches and the associated fines have a massive negative impact on a company’s customer base, particularly if the breach involved sensitive data.

This fine driven fear has prompted numerous organisations to obtain cyber security resources, however, these organisations are starting to see the scale of security that is now needed due to the vast initiatives involving software.

5) The NCSC advisories on Cloud First and the 14 principles of Cloud Security are proving to be strong advisories, allowing public sector departments to involve these advisories in their procurement and evaluation discussions.

Everyone wants to know that their information is safe and secure and businesses have legal obligations to keep client data secure.

Two of the NCSC’s most senior researchers into cloud usage outlined some of the biggest threats that come with using the cloud. Their talked outlined some of the 14 principles in greater detail and presented the latest thoughts on laaS vs. “serverless” technologies.

NCSC’s 14 principles include the likes of a Governance framework, identity and authentication and secure development.

This advisory list details the context for the 14 Cloud Security Principles, including their goals and technical implementation, which means that any level of personnel in an organisation can understand the framework that needs to be in place for safer cloud security.