One such company is Codific, led by Dr. Aram Hovsepyan. In his academic career, Aram has played key roles in the development of industry standards, such as the LINDDUN privacy threat modeling framework (now part of NIST and ISO standards) and the very current OWASP SAMM, the software assurance maturity model that is making an impact in the open source community and far beyond.
Let’s meet Codific
Codific builds secure cloud solutions for specific use cases where security and privacy are of paramount importance. Their flagship product is a tool to film interactions between medical professionals and patients called Videolab. For years Dr. Hovsepyan has been a very vocal champion of Debricked, in this interview, we discuss why.
Hi Aram, how are you doing?
Awesome, how are you? What’s the weather like in Sweden 😀
Why do you care so much about application security?
I have been a researcher at the Imec-DistriNet lab (from the University of Leuven in Belgium) for an extensive period of time. DistriNet has always been globally renowned for its expertise in software security. So from my early days, I was fully immersed in an environment where security was a key quality attribute in nearly everyone’s research. Security is also one of those disciplines that is simply cool, just as surfing is in sports. Thus AppSec was a natural path for me to follow.
What is software composition analysis and why does it matter?
When I was a student, the idea of creating software systems using lots of reusable components was the Holy Grail of software engineering. Fast forward two decades, and it is hard to imagine developing a software system from scratch. Nearly all software is built on top of third-party libraries and components, which significantly increases productivity but also raises concerns regarding potential security and licensing risks.
This is where Software Composition Analysis (SCA) becomes crucial. SCA tools enable the identification of all software components and the assessment of their potential risks and vulnerabilities. Recent regulations in the US and EU have even made SCA a mandatory practice. By identifying and addressing potential security risks early in the development process, SCA helps reduce the likelihood of security incidents and assists developers in creating more secure software products.
Why do you pick Debricked?
OWASP has published a great overview of security tools. I went through all of them and tried them out using three simple criteria:
- Number of false positives
- The simplicity of DevOps pipeline integration
Debricked was by far the best tool from this perspective.
What do you like about it?
Aside from the criteria I’ve mentioned, I love the fact that I can define a minimum set of criteria to pass/fail the build using the Debricked rules. This is also necessary for getting to a maturity level 3 in Secure Build security practice in OWASP SAMM.
I was also impressed by the speed and expertise of the support helpdesk (although that isn’t necessarily a must-have for a security tool provider).
How do you deploy it…” or “what features do you use the most…”?
We have integrated Debricked into our Gitlab CI/CD pipeline for all our products. We’ve set up a threshold to fail the build process when it comes to a vulnerability CVSS score or license risk.
How does this fit the broader security picture? How important is this part?
I am a core team member and avid supporter of OWASP SAMM. SAMM is a security assurance program that encompasses 30 security streams, providing a holistic view of security. One of these streams is Software Dependencies, and Debricked plays a critical role in achieving the highest maturity level in this area.
What advice do you have for people working on designing their DevSecOps pipeline?
Debricked is a must-have for your pipeline, along with SAST and DAST tooling. However, you cannot solve the application security challenge by leveraging the tooling alone. You will need to set up processes to deal with the tool findings (and by deal, I do not mean clicking “not applicable” in the UI to skip the warnings).
I highly recommend taking a systematic approach to building and deploying your software systems, such as following OWASP SAMM’s Secure Build practice. By implementing a structured methodology for addressing security concerns, you can effectively manage risks and ensure the overall security of your software systems.
Basically, Codific loves Debricked because Codific loves security, but not at any cost. They like efficient operations and adequate smart notifications.
And we love us some epic stories
Because we get a buzz out of helping companies and developers unleash the power of open source effectively and securely while keeping their development pace intact. Hearing their side of the story keeps us going. A huge shoutout to Aram and the Codific team – thank you for being an awesome ally in our quest!
And do not forget that something is always brewing in the Debricked lab, so stay on the radar for new releases.