Fakturabörsen, one of Detectify’s very first customers, is a marketplace for invoices where companies can turn their invoices into capital. Andreas Larsson, CTO/Lead Developer, has decided to choose Detectify over expensive enterprise tools. In this interview, he explains why.
How did you hear about Detectify?
I first came across Detectify when I started working in banking and finance at Fakturabörsen. I set up the development department here and when we built a new generation of our platform I had to test it on different levels, including penetration and security testing.
I had previously used HP and IBM’s tools for this type of security testing and they simply cost way too much. We started thinking about building something ourselves, but the good thing with Detectify is that you get the whole package – an up-to-date security service that doesn’t cost an arm and a leg. We immediately thought it sounded interesting and that’s how we got in touch.
What was it like to get started with the tool?
It was surprisingly easy to get started. We thought we would have to install agents or clients on the computer, but because everything is remote, you just need to verify your domain and get going, which was a pleasant surprise.
What are the challenges of working with security as an organisation?
It’s the classic story; once a month, you need to show management that your expenses are justified and explain why money is being spent on certain services. In the case of Detectify, we explain what could happen if someone was to find a vulnerability on our site and then compare that to how much it costs to pay for security tools. If you put it like this, it’s rather easy to justify the expenses.
How did the developers who use Detectify react?
Their reactions were positive, but there’s also been a fair bit of swearing when we got bad results! We’ve had to rebuild or discard websites a couple of times, but it’s better to discover vulnerabilities like this than have someone else come across them.
How do you use Detectify?
We run recurring scans every week and complement that with more tests if needed, for example, if we release a new site or a new application. Our overall sense of security has improved thanks to being able to analyse and follow our progress with Detectify.
We use the Slack integration so Detectify sends information to Slack and via email every time we run a test.
I really like the tool and that it can be effortlessly integrated into the workflow. Detectify also works well with other tools we use.
What is your favourite Detectify function?
That it offers suggestions on where we can find vulnerabilities. Other tools I have used identify security issues but don’t give you any tips on how to resolve them.
I like the entire tool. In terms of integrations, we only use Slack, but we’re looking forward to the JIRA integration (released 15/09) that will automatically create a JIRA ticket when a vulnerability is discovered.
Are there any other aspects of using Detectify that you particularly like?
We think the amazing thing about Detectify is that you have a network of researchers who continuously discover new zero day vulnerabilities and exploits. You keep an eye on what the entire security community is up to, do your own research and build it into modules. This means that we don’t need to do this type of research ourselves and don’t have to worry as much.
Looking for vulnerabilities is a full-time effort, but our main job is building trading systems. It’s thanks to working with Detectify that we remain up-to-date – it’s a win-win situation!