Search Go hack yourself with Detectify

An EASM blog from Detectify

Fredrik Alexandersson, Office IT-partner: “Detectify is my hacker toolbox”

October 12, 2017

Office IT-Partner is a Swedish IT consultancy providing a range of tailored solutions to clients across the country. Fredrik Alexandersson, Systems architect and Senior security advisor, who has been working at Office IT-partner for 13 years, uses Detectify to continuously update clients on their security status and advise them on how to improve it.  

Fredrik Alexandersson, Systems architect & Senior security advisor at Office IT-Partner

Has security always been a part of your work?
Yes and no. Security by design has always been something we’ve worked with, for example, by building secure networks, but I don’t build web applications.

What kind of security questions do you get from clients?
It’s a mixed bag. Clients ask me everything from “I saw a video where someone hacks a printer, how did they do it?” to “Do we really need to have a password longer than 6 characters?” There’s a lot of variation, but one thing that’s certain is that security is trending. You can’t dodge it any longer.

Do you think the trend will continue?
Definitely. As we inspire more people to understand the importance of fixing vulnerable code, we’ll also get more questions about security. It’s important to communicate this in a way that helps people understand.

What does the security work at Office IT Partner look like?
Security is one of our core focus areas. We have redone our entire architecture and try to work only with security by design. This includes everything from how we onboard new clients to how we work with our data.

How do you guide clients through security work?
We explain what can happen if they’re vulnerable because this is the only way we can really raise the security level. Decision-makers don’t always understand the potential consequences and they might say “I know this is a problem, but we don’t have time to fix it.”

The thing is, our clients are users, I’m a user, you’re a user. We’re always going to try and find the easiest solution. This is why it’s all about baby steps, teaching people about security in a way that’s easy to understand, maybe teach them some cool security tricks that they can show to someone else and this way, you get a learning organisation.

It’s important to always have a positive approach. Everyone hates the security department because they are the ones that say “You can’t do this, stop doing this,” so we need them to come to us and feel like they’ve done something right. So basically, if you reach out to us, we’ll help you out and make your life easier, but we’ll also act if you use too much shadow IT. Then again, it always comes down to the work we do. If people need to use a lot of shadow IT, it means we’ve missed something.

How do you use Detectify?
I scan, then take the report, usually the OWASP Top 10 report, show it to the client and explain what looks good and what doesn’t. I do this as part of a general overview of their status. When something new is about to be released, it’s a good idea to run a Detectify scan before the release. Then you know that you’ve done a good job and that there’s no lowest hanging fruit in your code. Of course, zero days do exist, but you can fix the most common issues.

Why did you choose Detectify?
Because of the simple and innovative UI. There are so many security tools out there and they give you information, but this is something I can give to people who don’t have a lot of tech knowledge and they can still understand it.

What are the benefits of working continuously with security and automation?
It’s amazing! Detectify keeps me on my toes, you find new vulnerabilities and are always updating the tool. Detectify is my hacker toolbox for websites.

It’s a bit like going abroad and getting vaccinated. If you’ve had your vaccination and go on holiday again, you need to get another shot, you can’t just say “I’m good, I don’t need to do this again.” Security is something you need to think about every day.

What’s you favourite Detectify function?
I like being able to go back in time and compare timestamps. I can then look at the logs and follow up on findings.

If someone asked you why they should use Detectify, what would you say to them?
“You’re not using Detectify yet? Why not?” It’s all about being prepared. Imagine you were a marine and never did any training. No way!

It’s incredibly important to visualise your threat picture and Detectify is a simple tool that developers can understand. You can also use it to check how your IT department is working with security or if a subcontractor is really keeping you up to date. Keeping track of what you’re using is a no-brainer. Go get it!

What do you think is the biggest challenge in security?
Identifying vulnerabilities and knowing how to fix them. It’s not new sites that are the problem, they are often well-written. Legacy is the challenge.

If you would like to keep an eye on your security with Detectify like Office IT-Partner, sign up for a free trial!