Oxeye’s cloud-native application security platform aims to integrate with CI/CD and cloud-native environments, enabling to add context to each vulnerability that it finds allowing development and application security (AppSec) teams to discover the application, understand its structure as well as the vulnerabilities, and prioritize them based on the context.
“We are looking to take the application security testing landscape, finding vulnerabilities in the code, finding vulnerabilities in third-party packages, finding hard-coded secrets, and validating that applications arrive at production when they’re overly secured. We’re taking this landscape and actually rebuilding it towards the cloud-native era,” says Dean Agron, CEO & Co-Founder at Oxeye, on the latest episode of TFiR Newsroom.
Key highlights of this video interview are:
- Although developers are taking more ownership over security, the shift towards cloud native creates challenges for existing solutions not designed for distributed architectures. Agron discusses the three key challenges developers face nowadays with cloud-native applications.
- Agron discusses how the approaches used in Oxeye’s cloud-native application security testing differ from traditional application security methods.
- Misconceptions around cloud adoption and its security continue to prevail. Agron explains how the big cloud players provide you with the basic tools; however, gaps between the basic and advanced solutions continue to be a challenge.
- Agron discusses how Oxeye’s cloud-native application security testing platform works and the value it brings to developers and DevOps teams.
- Agron talks through some key use cases Oxeye sees in the enterprise phase and how Oxeye’s solutions are working for these customers.
- Although Oxeye’s new platform aims to tackle some of the security challenges enterprises face nowadays, there are still areas that the company sees as core challenges. The combination of application layer vulnerabilities with infrastructure configuration continues to be an area Oxeye’s research team is focusing their attention on. Agron discusses the complexities of this challenge in further detail in this video.
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to another episode of TFiR Newsroom. And today we have with us once again, Dean Agron, CEO and co-founder of Oxeye. Dean, it’s great to have you on the show.
Dean Agron: Thank you so glad to be here.
Swapnil Bhartiya: Yeah. And today we’re going to talk about the availability of Cloud Native application security testing platform. So tell us a bit about it. What is it?
Dean Agron: So generally speaking at Oxeye, we are looking to take the application security testing landscape, finding vulnerabilities in the code, finding vulnerabilities in third party packages, finding hard coded secrets, validating that applications arrive to productions when they’re overly secured. We’re taking this landscape and actually rebuilding it towards the Cloud Native era. Building a solution which integrates with CI/CD and Cloud Native environments, building a solution that adds context, the Cloud Native context per each vulnerability that it finds and eventually allows the dev teams and security AppSec teams to discover the application, understand its structure, understand the vulnerabilities, prioritize them based on the context and provide the developers in AppSec teams with clear remediation guidance on how to resolve these vulnerabilities.
Swapnil Bhartiya: If you look at security vulnerability, there are two things happening. Number one is that there much more awareness now. Also, unlike in early days where security was someone else’s problem, it is moving into developer DevOps. There are specific rules, DevSecOps teams that look at it. But to be honest with you, the rules now overlap so much that the same folks end up doing everything else in most cases. But, and second thing is the cloud adoption is growing, which also means there are a lot of players who are embracing cloud. And if you look at just the complex complexity of cloud, it makes things very, very challenging. So when you look at these two things, what are the new challenges that you see out there for developer DevOps team, sorry, team, whatever label you all that you are like, “Hey look, this is a big problem. Let’s solve this.” And that’s why I created this interesting platform.
Dean Agron: So I would take each of the things you said and then collaborate all of them together. On the one hand, we see major growth in the amount of developers and because of that, because the ratio of developer teams to absent teams becoming so high, then developers must take more ownership over security. They need… There are new roles today, DevSecOps, product security, security champions within the dev organization. And they’re sharing the responsibility and ownership over security together with the AppSec engineers who’s been there all along. So that’s on the one hand. On the other hand, the shift towards Cloud Native, towards distributed container based, microservice based applications created a new, I would say, created new gaps for existing solutions that were not designed for distributed architectures. And the result, like in every security product is not that there are no results.
It’s the other way around. There are too many results. And these cause frustration among the teams that now needs to collaborate better because what I’ve started with. So if I need to define it into three categories, I would say the first one is too many vulnerabilities. The technology hasn’t shifted yet. The solution remains the same, so the solutions are not designed towards distributed environments. That’s one. The second thing is that security teams and AppSec teams specifically are not familiar with the structure of this modern app because it has many components. So it’s the visibility. And the third part is I would say the need to overcome the frustration between the teams. Today, you have developers, you have AppSec, you have product security. They all need to collaborate and be able together to make the application more secured. So these, I would say the challenges that we see.
Swapnil Bhartiya: There were traditional security vendors who are now also offering their solutions for cloud. And then there are next generation in UXY kind of folks who are born in the Cloud Native era and they are approaching security from that perspective. So if we look at just Oxeye, how different is it? You know, the approach that either traditional security vendors take or they are NextGen vendors as well.
Dean Agron: So I would say that there are many cloud security players, but most of them focus on the infrastructure on VVA on the container, the cloud and the cluster. They are not focusing on the actual code written by the developers. And that’s exactly the spot where Oxeye comes in. Now regarding the supply chain challenge, I agree with you many companies today, more than 70% of the code is a combination of third party packages and open source. So there’s a need today to not only scan the open source code, the third party packages and understand whether they are updated or not.
But there’s a need for more focus there to understand whether these packages are actually in use or not. Because if they’re not in use, then they may be not updated, but it’s not that of a severe vulnerability. But if we have a package, an open source solution with a legacy version that is vulnerable and it is used, and it is accessible from the internet, then that package must be updated to keep the application safe. And I think that’s where the next generation solutions comes in. Adding the context, understanding not only if there is a vulnerable package or not, but what is the context in which it is executed?
Swapnil Bhartiya: A lot of folks who are moving to cloud, sometimes there is a misconception that cloud is going to take care of everything. The fact is, yes, it is elastic. It is scalable, but then there are a lot of things that you still had to deal with it yourself. Security is one of those many things. So what have you seen in that space where you’d come across customers or developers who were like, “Hey know what, yeah, I will move to the cloud” and it should have taken care of everything instantly. Nope, that’s still your problem.
Dean Agron: So I would say in many cases, the cloud vendors and the big players, or the big cloud players will provide you the… I would say the most basic tools. The ones that if you want to say that you’re using it. Okay. So you’re using it. But in many companies that there’s security posture is I would say, medium to high, they need more than just the check box. They need a solution that they can really trust that in case someone tried to attack, someone tried to attack them. They are secured solutions that will validate their applications, whether or not those are vulnerable or not. And I would add one more thing specifically regarding to code vulnerabilities.
The entry level solutions provide you can create too much noise. And that’s the gap between the advanced solutions, which point out a short list of vulnerabilities to the entry level solutions that provide a very long list of vulnerabilities when you don’t know where to what to start with. And that’s, again, this is where the more advanced, I would say, deep tech solution comes into place on top of the basic functionalities that are provided by most of the cloud vendors and ecosystem players in the cloud today.
Swapnil Bhartiya: Now I want to just go a bit deeper into it. Can you also explain how this testing platform works? And what value does it bring to developers devops in teams?
Dean Agron: So Oxeye actually consolidates the application security testing landscape by offering in one solution, a combination of technologies, static technologies, dynamic technologies, interactive technologies, and SCA technologies, but Oxeye actually looks at it, not as many solutions on the application, but as a funnel, you start with one solution. Then you take the results and pass them through a filter, which is another solution. And each and every step of the way, the amount of exploitable vulnerabilities goes down because we start with scanning the code, and then we move on to application flow tracing to understand whether this code is accessible from the internet. And then on the vulnerabilities that accessible from the internet, we initiate active validation to actually validate that these vulnerabilities can actually be exploited. And all of that is done by deploying a container within the testing environment with the co CTL apply.
And that’s it. It’s a very quick and easy deployment. The time to value is between minutes to one to two hours, that’s it, that’s the time it takes deploying Oxeye is co CTL apply of a file or, or a hel chart. And once it is deployed, it’ll auto update. So it’s very, very quick and easy. It’s part of the CICD. And once it is deployed, it will initiate the whole test cycle or the whole final cycle of scanning the code, adding application flow tracing, then validating via dynamic fuzzing, and eventually providing the developers the short list of vulnerabilities with clear mediation guidance.
Swapnil Bhartiya: Can you also talk about, of course we touch upon it earlier, what are some of the key use cases that you see of Oxeye in the enterprise phase? Because as we talked earlier, it’s a busy and crowded space.
Dean Agron: So one of the main use cases is customers coming and saying, “I’m using the incumbents in this market.” They just don’t work properly when it comes to Cloud Native, to modern environments because they create too long list. I need to clear the noise. So clearing the noise is the number one use case of a working with Oxeye. The second one is, and here I’m focusing on the supply chain, is let’s say that I found a vulnerable package, SCA a look for shelf, for example, well known a vulnerable package. I have hundreds of instances with, where do I start? Do I start with, with which ones do I spend the weekend on fixing? And that’s where Oxeye finds the in use packages, not just the long list of packages. And I think these are main to use cases. And another functionality that we added is the software bit of material to allow the AppSec team, to actually understand how the application is structured, what are the building blocks? And then they can map better what was tested, what was not tested and improve their security posture of the application. Perfect.
Swapnil Bhartiya: Today, we are talking about this new platform that you are announcing of course there are a lot of things in pipeline that we can or cannot talk about at this point. We’ll wait for those. But if I ask you now, what are the things, what are the, is still gray areas that you see that you’re like, “Hey, no, we still have to solve those,” which will actually give us a glimpse of what else to expect from Oxeye.
Dean Agron: Sure. So I would say one of the core challenges is the combination of application layer vulnerabilities with infrastructure configuration, because this is a new, it’s a Greenfield. And this is exactly where Oxeye research team is focusing on to understand better how the infrastructure configuration and execution affect the application later and vulnerabilities. Because if you have a vulnerability that because of the way the container is configured, its criticality is much higher. It may affect the whole vulnerability prioritization. And that’s a major thing. Oxeye we are working on as these days. In addition, of course, to broadening the support and accuracy with the amount of languages and support and with each language to add more and more knowledge into the vulnerability assessment process.
Swapnil Bhartiya: Dean, thank you so much for taking time out today. And of course talk about not only this new platform that you folks are offering, but also talk about the largest problem that is there for DevOps team. When it comes to security in the Cloud Native space. And as usual, I would love to have you back on our show. Thank you.
Dean Agron: Thank you very much, Swap. Glad to be here.