Posts

Uleska partners with Veracode to help businesses in UK and worldwide scale application security and automate security testing.

LONDON, UK – Oct. 04, 2019Uleska, a web-based platform which examines a software application to be built, along with security regulations, and proactively generates necessary software security checks and reports, today announced it has signed an agreement to partner with Veracode, a global software security leader.

Uleska is now an Authorized Reseller of the Veracode platform, allowing Uleska to help its customers combat modern security threats by managing and automating a range of security testing tools, including Veracode’s innovative application security solutions.  

Veracode’s SaaS platform, which includes static analysis, dynamic analysis, software composition analysis (SCA), and manual penetration testing, assists developers with finding and fixing security-related defects throughout the software development lifecycle. The platform offers a holistic, scalable approach to AppSec in one centralized view. It allows businesses to identify and resolve critical vulnerabilities while ensuring regulatory compliance without sacrificing speed or innovation.

The partnership is based on shared vision of secure software development. Veracode and Uleska help companies make security a seamless part of the development process. This allows them to both find and fix security defects so that they can use software to achieve their missions, which aligns with Uleska’s core values as a software security organisation.

Why Uleska and Veracode?

Software has transformed the way we conduct a range of incredibly important tasks and fuels the operations of businesses in every sector. Yet most software contains flaws. According to Veracode’s State of Software Security (SoSS) report, more than 85 per cent of all applications have at least one vulnerability in them; more than 13 per cent have at least one critical severity flaw.

The new role of software and today’s development paradigms is now key to effective information security.

Uleska, ultimately, understands that without innovative software security measures and clear communication amongst executives, software vulnerabilities could exposed sensitive data or lead to a costly data breach.

Uleska’s groundbreaking Cyber Value-at-Risk Reporting, driven by the risk and compliance needs of the organisation, is complemented by technical security testing that can be automatically achieved.

As a Veracode partner, Uleska can provide an accurate view of software security vulnerabilities and recommendations for fixing them, allowing companies to create secure software. Uleska is incredibly excited about this opportunity and views the partnership as an avenue to continued success in the rapidly growing global application security market.

About Veracode

With its combination of automation, process, and speed, Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realize the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code. 

Veracode serves more than 2,100 customers worldwide across a wide range of industries. The Veracode Platform has assessed more than 10 trillion lines of code and helped companies fix more than 36 million security flaws.

Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Infosecurity Europe 2019, held in the Olympia, London, is a leading event in the cyber security calendar bringing business, tech and communities together. Uleska CEO and founder Gary Robinson was a speaker at the event, addressing two prevalent cyber issues, whilst Uleska exhibited to a plethora of cyber practitioners. Here are just some of the key trends Uleska noticed throughout the event.

Automation and orchestration continues to be a trend that is driving the wider cyber security industry. On the security operations side, Security Orchestration, Automation, and Response (SOAR) is gaining a firm foothold in the organisation’s mindsets.

In contrast to the software security side, Application Security Testing and Orchestration (ASTO) is a few years behind SOAR, yet the success of SOAR is helping organisations’ see the value of ASTO.

Numerous visitors to the Uleska booth were attracted by an independent (i.e. non-tool vendor) view of the coverage provided by combinations of technical tooling against their security standards and regulations they need to meet. 

Many security tool vendors will have marketing departments which promise to cover every technical issue, yet the industry realises this is not the case.  While organisations accept that no one tool will fix everything, they are finding it hard to get independent advice as to what tool coverage they do need.

Chief Risk Officers (CROs) have to deal with a lot of data. Cyber security has fought for years to get onto both the board and risk agendas and is now a firmly placed issue that must be addressed.

However, CROs have many aspects to consider. From finance, human resources, natural disasters, and geopolitics, with cyber security being one more issue to be addressed on that list.

Yet within each aspect, there are many subplots, such as for cyber, ransomware, viruses, network security, infrastructure security, application security, and more.

As previously mentioned, this means that each element the CRO has to manage, measure, and report on has to be succinct – the best case being one number of stats that shows the current state, impact, and whether things are getting better or worse. 

Application security has historically been awful at this, throwing thousands of technical issues and high/medium/lows to describe the current state, which is simply not consumable for a CRO.

Cyber value-at-risk, culminating in a single monetary risk number that changes with the real risk in the software estate, provides such a measure that CROs can work with.

Many organisations are interested in maturing to a ‘standards-based approach’ to security testing, instead of a ‘tools based approach’. 

This means they are looking at the standards and regulations they need to adhere to, and asking “Which tools and processes can be combined to provide as much coverage of these as possible?”. 

This is a much more comprehensive approach than previous doctrine which started with using one or two tools or processes, allowing them to find issues towards the end of a project, fixing those issues, and then assuming all standards and regulations were covered.

All /processes were aligned to the standards and regulations. this without doing any analysis of how those tools. This has led to blind spots in their technical programs which led to breaches.

Uleska recently exhibited at CyberUK 2019 in Glasgow’s Scottish Event Campus. The event highlighted the progress that needs to be taken within cyber security and showcased innovative solutions currently on the market. Here are Uleska’s top five takeaways from the event.

CyberUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors.

The conference showcased evolving cyber threats that face the UK and how we must respond as individuals and organisations to keep cyber security one step ahead of malicious hackers.

Here are our top five security trends.

1) Many companies are in need of faster and more frequent software security checks and assurance.

In today’s software-driven climate, major companies are releasing software updates thousands of times a day. Amazon, for example, was doing a production deployment every 11.6 seconds in 2013.

Current testing to determine the weaknesses within an application can take months, and with software releases being pushed so frequently the traditional processes simply cannot guarantee software security.

This lack of speed and frequency can lead to release and security management practices being ignored. Akin to building skyscrapers from the same materials we used to build huts, if this continues we can expect software to continue to randomly, and catastrophically, fail.

The need for faster and more frequent security testing has also been pointed at the skills gap within cyber.

Gillian Arnott, International Communications and Marketing Manager, and Nick Chaffey, Chief Executive UK and Europe for Northrop Grumann asked the question of how we are going to meet the government target of filling 1.2m new technical roles.

Through engaging, educating and enthusing a new generation of cyber security practitioners, they are confident that they can capture new ability to push for innovative ways to test faster and more frequently.

2) Automation and orchestration of software security is moving from industry advisories, such as Gartner and Forrester, into everyday practice by industry.

Both Gartner and Forrester input’s into the importance of automation and orchestration within security testing has gone from advice to everyday practice.

Last year, for example, Gartner advised that by 2020 15 per cent of organisations with five or more IT security professionals will be using automation and orchestration tools to security test.

This advice has already started to work its way into best practices and many are taking the ASTO approach to security testing.

Speaking at CyberUK Cyber Security Partner at PwC, Colin Slater, backed up their everyday practices coming to fruition. He spoke about automation and orchestration services letting organisations hunt the threats they need to focus on, not just the alerts.

3) Consulting organisations servicing the public sector are being asked to innovate around their services, due to pressures on time, scope, and pricing.

The public sector faces a multitude of pressures, not least the financial challenge of shrinking budgets and increased expectations of service users.

Due to the speed of software development, the increasing scope of vulnerabilities and the expense of traditional security testing, public sector serving security companies are having to change the way they approach security testing and operations.

4) Regulatory concerns, in terms of breach fines, continue to be the largest driving factor in the procurement of cyber security services.  However, with more and more public sector initiatives involving software, the scale of this challenge is growing fast.

If a data breach doesn’t kill your business, the fine might.

Breaches and the associated fines have a massive negative impact on a company’s customer base, particularly if the breach involved sensitive data.

This fine driven fear has prompted numerous organisations to obtain cyber security resources, however, these organisations are starting to see the scale of security that is now needed due to the vast initiatives involving software.

5) The NCSC advisories on Cloud First and the 14 principles of Cloud Security are proving to be strong advisories, allowing public sector departments to involve these advisories in their procurement and evaluation discussions.

Everyone wants to know that their information is safe and secure and businesses have legal obligations to keep client data secure.

Two of the NCSC’s most senior researchers into cloud usage outlined some of the biggest threats that come with using the cloud. Their talked outlined some of the 14 principles in greater detail and presented the latest thoughts on laaS vs. “serverless” technologies.

NCSC’s 14 principles include the likes of a Governance framework, identity and authentication and secure development.

This advisory list details the context for the 14 Cloud Security Principles, including their goals and technical implementation, which means that any level of personnel in an organisation can understand the framework that needs to be in place for safer cloud security.