Preventing subdomain takeovers and receiving less false positives with Detectify
Visma is a privately held software company that simplifies core business processes in the private and public sectors.
Company Size: Enterprise (12,000 employees)
Location: Headquartered in Oslo, with over 200 local offices
Visma's set up & security challenges
A remote work setting and many employees at Visma keep their security team busy. Catalin Curelaru, Security Triage Lead at Visma, specializes in infrastructure and product security areas with strong knowledge of security operations.
“We have over 5000 developers, 40 acquisitions per year, over 150 companies at Visma, and employees spread across 37 countries” says Catalin.
Visma has an application security program to increase security vulnerability knowledge and mitigate security risks quickly.
Visma’s security challenges:
- Subdomain takeovers
- Exposed tokens
- Legacy systems
- OWASP top 10 vulnerabilities coverage
- False positives
How Visma benefits from built-in ethical hacker research
Catalin explained that using SAST, DAST tools, penetration testing, and manual assessments is excellent. Still, a bug bounty element was needed as a cherry on top for more excellent coverage and speed in finding the most recent vulnerabilities.
That’s exactly where Detectify Crowdsource comes into play.
"We used other tools before, but we chose Detectify because it helps us reduce false positives and gets much information from the availability perspective,” explains Catalin.
Ethical hacker knowledge from Crowdsource adds extra value to Visma’s security journey.
“The Bug bounty element is the ultimate layer before all the other layers from the automated tools: from manual assessments, threat modeling, and all the services that you can deliver to the software delivery teams.”
"We chose Detectify because it helps us reduce false positives and gets much information from the availability perspective"
Complementary to a bug bounty, Visma has a dedicated internal penetration testing team available to all companies inside Visma for an extra security layer.
“We are a big team with a vast amount of public products that need to be assessed. However, with the limited amount of penetration testers in the teams, we cannot cover all the applications from all the security angles. That's why you need Detectify Crowdsource,” explains Catalin.
Detectify products used by Visma
Surface Monitoring - the benefits of continuous updating
To reduce the number of subdomain takeovers, Visma’s teams use Surface Monitoring.
"We have multiple public applications, and we want to be 100% sure that we are free from subdomain takeovers. Detectify helps us achieve that."
Application Scanning - the benefits of low false positives
Visma has been using Detectify for several years now, resulting in a strong working partnership and trends over time. When using Application Scanning, they have seen that Detectify consistently delivers vulnerabilities with a very low false-positive rate. They know they can trust the data coming from the reports and act quickly upon it.
How Visma uses Detectify
Visma runs scans weekly and receives all of the security vulnerability findings in one go. The scanning frequency also depends on each team and their scheduled time preferences.
Integrations - Jira and Slack
Visma’s security teams receive all medium and high severity vulnerability findings from Application Scanning and Surface Monitoring in Jira. Each scan profile is set up as a unique JIRA issue to find metrics for all the raised issues, allowing for an exact remediation timeframe and knowing precisely what teams are remediating what issues.
With the Slack integration, Visma gets high severity vulnerability findings alerts instantly and is aware of issues as soon as they are discovered.
Consuming the findings
Visma's teams are independent and have different approaches to consuming vulnerability findings. Development teams have direct access and triage with the help of the security team overseeing the remediation process. Alternatively, the security team conducts triage together with bug bounty reports as it helps to know precisely how to assess the issue quickly.
“It’s our responsibility as a company to be 100% sure that we address critical security issues on time”
Dealing with critical vulnerabilities
Visma is organized into multiple companies. Their security team doesn't have direct access to all servers and environments as each team is responsible for their environments and remediation. The security team's guidance and advice support them. “It’s our responsibility as a company to be 100% sure that we address critical security issues on time,” says Catalin.
Visma compares the scan profile during the vulnerability remediation process to see if a particular issue is no longer flagged. If a certain issue is addressed, the team deploys the patch and the update into the environment. The issue is then considered to be closed. Catalin explained that at Visma, they also rely on comments to enhance trust between security and other teams.
Assessing security issues better and building tools
The reduced time required to determine security issues' validity allows the teams to be more creative and develop new tools and products.
Securing M&A process
Detectify takes an essential part of the DAST process during the M&As at Visma, ensuring the desired security posture. Detectify helps newly acquired companies discover previously unknown security issues. “This is the main ROI when certain development teams get valuable information and can strengthen their security," says Catalin.
Less noise, more relevant findings
Catalin explained that the central realization they had while using Detectify was a decrease in vulnerability findings. He explained that sometimes their teams were concerned about not receiving many results. This meant they received more relevant findings and less noise which ensured teams were doing a great job.
Catalin’s security tips:
- To use OWASP SAMM bottom up approach
- Rely on OWASP best practices
- Use multiple tools - SAST, DAST, third party scanning, Red Team/Purple Teaming