Cybric Makes DevSecOps A Reality

Boston-based company Cybric is a relative newcomer on the cybersecurity scene, but it’s re-envisioning how developers test the security of their applications.

“If you look at the cybersecurity landscape, there are over 1,220 solutions and tools,” said Mike Kail, Chief Innovation Officer at Cybric. “There have been incremental approaches to application security and security in general, but there hasn’t been enough focus. We’re trying to take a completely different, contrarian approach. Instead of selling fear, uncertainty and doubt, we’re trying to sell confidence, assurance and resilience.”

Kail noted that the current problem many businesses face in the application space comes from continuous demand for developers to produce new updates, features and functionality to existing app products.

While DevOps aids in streamlining this process, keeping pace with the demand often leaves security testing and scanning application code for vulnerabilities behind — not entirely, but until after code has already been rolled out, leaving it vulnerable in the interim between release and scan.

Today, only 20 percent of DevOps initiatives include security throughout the development cycle. What Cybric’s Continuous Security-as-a-Service platform does is to merge development, security and operations into one process — DevSecOps, if you will.

“We are taking a platform approach to automating and orchestrating all of the scanning operations that are now done manually, if at all,” said Kail.

Cybric’s technology enables security testing and scanning to happen continuously, keeping up with the demand on developers without compromising security. Cybric announced the general availability of its platform just a few weeks ago, and Kail expects that it will gain rapid adoption for a number of reasons.

First, it’s quick to sign up and start scanning.

“We don’t have to install anything,” he said.” You can use your GitHub credentials to sign up, and we can start security scanning right away without adding any friction to the developers’ life-cycle, unless they have to remediate something.”

But again,” he added, “it allows them to remediate before it’s in production.”

Secondly, the platform plays offense.

“Post-build, before you deploy to your production environment, we create a copy of that application infrastructure and run scans against that looking for the classic vulnerabilities that companies continue to get hit by,” Kail said. “Before you actually expose the vulnerability, we tell you how to remediate it.”

Additionally, and perhaps most important in the ever-evolving world of cybercrime, the platform keeps pace with the latest cybersecurity developments in near-real time.

“Today you might have a security operation center monitoring correlating new vulnerabilities against a manual list that adds latency and is prone to human error,” he said. “On our back end, we monitor in the national vulnerability database in real time.”

Cybric will know about any new vulnerability released, noted Kail, even on Zero Day.

“Because we know what an application is composed of from a libraries and package perspective, we can alert them in near real-time about new vulnerabilities,” he said.

Cybric’s long-term plans could include an additional innovation to the space — automated remediation using the data analytics Cybric acquires as more users add the platform, Kail added.

“As we get more customers and see more trends, we want to build out machine learning models to ultimately lead to automated remediation,” he said. “As Uber and Tesla are building self-driving cars, we want to — in the long term — build self-driving security applications. Other automation players in cybersecurity are automating incident response — we’re trying to prevent you from ever having incidents.”