Straight out of Stockholm, foreseeti is one of those companies that make us really proud of the Swedish startup scene. They started using the Debricked tool quite early on in our journey, and we are extremely happy to be working with them. With them being a company that helps others stay secure, it’s always interesting to know how they work with the security within their own product. Luckily, Mikael Modin was willing to give us some insight.
Hi Mikael, how’s life?
It’s all good!
Tell us a little about Foreseeti!
We do threat modeling and attack simulation, completely model based and automated. This means that it’s completely virtual and will never mess with your actual environment. It also creates the possibility to test the environment before it’s built. Our tool, SecuriCAD, allows you to create a model of your infrastructure, simulate attacks and figure out what risks your organization may be facing.
What’s your role in all of this?
I am a senior developer. I lead the backend development, but I also handle our cloud infrastructure and security work.
As a security company, what is your take on security when it comes to developing your own product?
Within foreseeti we have three main goals when it comes to security, and one of them is that it needs to be a part of the development process. This means that it needs to be integrated into our daily practices and that everyone is involved in some way. Although, I would say that among the developers I am the one who deals with security the most.
What about open source?
Of course it’s a huge challenge keeping track of them manually, which is why we started using Debricked. I like automated tools that enable people to think about developing our product instead of dealing with manual security work. We try to create an environment where it’s easy to do things the right way, and difficult to do things the wrong way.
So, how do you use our tool?
We do automated testing in Jenkins, and the Debricked tool is part of the job. If the tool detects a new vulnerability the job stops and we get a notification in our Slack channel. This allows us to quickly have a look and decide if it’s something we deal with now or later.
The same thing goes for intake of new open source. We do have a controlled process to only include license-compatible software with an acceptable security pedigree and community support. A full manual security analysis of a dependency, including transitive dependencies, is quite complex and time consuming, and Debricked really helps us do it quickly and efficiently.
Lastly, any fun things coming up that you want to mention?
Well, a little while ago we made a freemium version of our SecuriCAD Vanguard. So, if anyone is curious it’s perfectly free to try it out. Another thing to mention is that the SecuriCAD Enterprise suite now has AWS support, which is something we are very happy about. Other than that, we always do a lot of webinars, so check our Linkedin page to stay updated on what’s going on!
Thank you Mikael for being so kind to speak with us!
A full manual security analysis of a dependency, including transitive dependencies, is quite complex and time consuming, and Debricked really helps us doing it quickly and efficiently.