M. Loewinger, Smartbear: “Each product has a DevOps lead who manages Detectify and all its findings”


Detectify user story: Smartbear offers automated software testing solutions that help development and testing teams ensure quality throughout the software development lifecycle. Martin Loewinger, Director of SaaS Operations at Smartbear, and his team use Detectify to ensure security is a part of each product CI/CD pipeline, so that they can help their end users with test automation and monitoring.

What is your role at Smartbear?
I am the Director of SaaS Operations. I have the pleasure of leading the DevOps teams who support, maintain, and help build and design our SaaS platforms. Our DevOps teams are the leads when it comes to the platform’s infrastructure, configuration, security and deployments. We basically handle everything but creating the software. This past year I was fortunate enough to be given a development team to lead as well. I manage and lead the development efforts for our AlertSite product.

How does Smartbear work with security and development?
At SmartBear, some of our products service thousands of customers and span the globe. Detectify helps us monitor the security of our SaaS products, and currently we scan over 30 unique URLs or products. Some of the products are externally exposed and some are private. We have integrated Detectify into our CI/CD pipeline, which means that prior to releasing code to production, we have run and verified a Detectify scan in our staging environment. Any new findings are triaged by a DevOps and Development lead. If needed, production releases are postponed until the security finding is resolved or mitigated.

“We have created security champions on each of our scrum and development teams.” – Martin on getting devs to care about security

One for the CISOs and managers out there… 
What are some of the goals set for your security team and how do you measure success?
Although not an official goal for the year, I would say that my personal goal for 2020 is zero breaches/exploits of my systems. I would say this can be simple enough to measure… have none! 

No but seriously, one of our goals is to have zero critical vulnerabilities reported in our applications due to human error. This means that any findings we have should not be a result of a misconfiguration.

security misconfig in UI

image: You can categorize results based on OWASP Top 10 classes in the Detectify UI.

What are some of the challenges your security team faces?
We have an extensive portfolio of SaaS products and infrastructure, and of course their security is extremely critical. Our challenges in monitoring and keeping 100% compliance on patches can become daunting. This is why we have Detectify and other several tools and systems to help us.

Finding a balance between security and business development is also a challenge we would like to solve. Security can become a blocker to product innovation, meaning a feature may need to wait or even be put off in order to have development concentrate on a security finding, and I am sure many other companies face this as well.

How does Detectify fit into this? 
Detectify is critical in helping us ensure the next release does not expose us to a major security issue. Our daily and weekly scans help us with monitoring the applications and products.

Our teams manage operations and security for many of our products and as a result, we work with many different stakeholders. Each product has a DevOps lead who manages Detectify and all its findings, who then works with a product’s development lead and escalates any findings and issues which need to be resolved.

Besides using Detectify, how else do you work with ethical hackers?
SmartBear Software currently has a private Vulnerability Disclosure Program with a leading security vendor.

Which is your favourite function in Detectify?
Our team likes the JIRA integration within Detectify. Since we are working with multiple product teams at once, we can simply and quickly escalate findings to the appropriate developer or teams.

JIRA set up in Detectify

image: Detectify offers various integrations into popular developer tools. Here’s a complete list.

What are some of the common security mistakes you see?
Misconfiguration is the most common security mistake we see.

“…one of our goals is to have zero critical vulnerabilities reported in our applications due to human error.” – Martin on security goals for 2020

What are some common attacks you see in your day-to-day when defending Smartbear?
We monitor our systems 24/7 for attacks. We mostly see the usual scans looking for default username and passwords for many of our public systems. The usual port scans, and possibly unpatched vulnerabilities.

How do you get developers to care about security?
We have created security champions on each of our scrum and development teams. It is the champions responsibility to push security amongst their team. Ultimately we need and want to build bug bounty-grade applications, which means our ideal goal is to make these programs public and open to everyone.

How do you stay up-to-date with security news/trends?
You name it, we do it. From being on Slack groups, attending conferences, email lists, GitHub Alerts and news outlets. Our security vendors like Detectify are also great in distributing security news and trends.

Get started with integrating security into your DevOps practices today using Detectify. We collaborate with the best ethical hackers to offer checks for wildly exploited web vulnerabilities. Sign up for your free 2-week trial.



Source link