Finding security issues as early as possible in the development process is a key principle of DevSecOps.
Among the many vendors in the DevSecOps space is San Francisco-based Bright Security, which until March 2 was known as NeuraLegion. On the same day that the company announced its new name, it also revealed that it had raised $20 million in a Series A round of funding.
Bright Security's core product is a dynamic application security testing (DAST) platform — a black-box security approach that is deployed late in the application development and deployment process that attacks an application from the outside. With its DAST platform, Bright Security is providing a developer-friendly approach that can fit into the earliest stages of development and integrate with developer tooling including continuous integration and continuous deployment (CI/CD) platforms.
"Dynamic analysis looks at the integrated application anywhere from unit testing to production," Gadi Bashvitz, CEO of Bright Security, told ITPro Today. "So it's the entire software development lifecycle, from the moment that the application or the APIs are compiled."
Bright Security Taking a Developer-First Approach to DevSecOps and DAST
Bright Security has created technology that can be governed by the application security team, according to Bashvitz. That team can determine what needs to be scanned, how often it needs to be scanned, and how scans can be triggered.
But the real users are the developers, who can run scans early in the development lifecycle to identify potential vulnerabilities much earlier and remediate and fix them before they hit production, he said. Bright Security's technology integrates with tools that developers are already using, including Visual Studio and GitHub, to build and compile code.
Common types of vulnerabilities that Bright Security's DAST platform can help developers identify include technical issues such as Cross Site Scripting (XSS), SQL injection (SQLi), and Local File Inclusions (LFI).
Identifying Business Logic Flaws for DevSecOps
According to Bashvitz, the differentiator for Bright Security is that it can also identify business logic vulnerabilities. These are non-technical issues, but rather are flaws in the flow of an application that can enable an attacker to exploit a system. Identifying business logic flaws requires an understanding of every data field and every entry point in an application, Bashvitz said.
"Business logic vulnerabilities are something that historically required organizations to have manual testers test as well as manual penetration testing to find things," he said.
When NeuraLegion, now Bright Security, was founded, Bashvitz said its focus was the development of an artificial intelligence-driven fuzzing tool. Fuzzing is a type of testing where miscellaneous inputs are injected into application fields to see what will happen. The AI fuzzer is now at the foundation of Bright Security's technology, providing the engine that helps identify business logic flaws.
Among the DevSecOps challenges that Bright Security is looking to help solve beyond just identifying potential security issues is alignment between the security and development teams.
"There's unfortunately a lot of antagonism between those two teams about whose responsibility it is to make sure the right tools to remediate vulnerabilities are in place as well as who can take action," Bashvitz said. "So that's area No. 1 that we really want to help with, and we are able to help with making sure that they really have a tool that they can easily collaborate with."