Search Go hack yourself with Detectify

An EASM blog from Detectify

Johannes Karlsmyr, Episerver: “The Detectify portal and the findings are easy to understand, even for non-technical employees”

November 16, 2017

Episerver is a global software company that connects commerce and digital marketing to help organizations create unique digital experiences for their customers, with measurable business results. They offer Detectify to customers who want to improve their security. We met with Johannes Karlsmyr, responsible for security at Episerver, to ask him about the Detectify user experience, the changing view on security and his favorite features.

How has your view on security changed over time?
Security is definitely beginning to become more mainstream and more transparent. In some of my previous workplaces, you wouldn’t openly discuss vulnerabilities. Companies are now becoming more transparent and many start so-called bug bounty programs.

What do you like about Detectify?
One of the things I usually point out to customers is that they do not need my help to get started because it’s so easy. Project managers in development projects are sometimes initially a bit overwhelmed by the results when they log in for the first time, but once they look at the reports properly, they actually understand what is being said. My experience is that project managers, even without previous security or development knowledge, understand the information in the tool. Because the findings are explained so clearly in the reports and the executive summaries are easy to read, they can quickly figure out who is responsible for a specific vulnerability.

The service is very user-friendly compared to many of your competitors. You have really invested in the user experience, in addition to having very good algorithms and filters to find security issues, of course. The portal and the findings are easy to understand, even for non-technical employees. This is important because it’s easy for complex tools to become “tech products” that only tech teams are using.

What’s your favorite feature in Detectify?
I like the Zapier integration, because it allows you to integrate with whatever you want later. Very nice!

In addition to Detectify, how do you work with security in your organization?
Developers work with secure development methods, both static code analysis and free peer reviews of all commits, which means that all code changes are reviewed by three people before they go live. We do this to make sure we don’t go live with any security flaws.

Our QA team is based in Hanoi and they weed out any potential flaws that may have made it through the development phase.

We also have a resource team that looks at vulnerabilities, weaknesses and trends to make sure we are secure and on top of threats. I have an advisory role so if I find issues like misconfigurations or vulnerabilities, I leave a ticket with the issue to the right department.

What are the most common security mistakes people usually make?
People need to think more about CSRFs! It is also still quite common for developers to create forms that are vulnerable. Unfortunately, you can often upload files, which is not optimal.

If you would like to help your customers stay security with Detectify like Episerver, sign up for a free trial!