Search Go hack yourself with Detectify

An EASM blog from Detectify

Niklas Olsson, KTH Royal Institute of Technology: “Detectify lowers the threshold to work with security”

April 24, 2018

Founded in 1827, KTH Royal Institute of Technology in Stockholm is one of Sweden’s leading universities. Niklas Olsson, IT Solution Manager at KTH, and his team use Detectify to develop secure web applications and share security knowledge.

Niklas Olsson, KTH Royal Institute of Technology: “Detectify lowers the threshold to work with security”

What is your role at KTH? Has security always been part of it?
I am a team lead for one of the development teams at the IT department at KTH. I have worked at KTH for fourteen and a half years, first as a systems developer and now as team lead, but I actually don’t work that much with pure security. I work with development, as well as prioritising, planning, and generally steering the work we do. The systems we build need to be secure and that’s where the security aspect comes in.

How do you work with security at KTH?
We have Security Operations Center (SOC)  team and a Security Management Center (SMC) team that works with policies and leads the security work at the IT department. In the development team, where I work, we use Detectify to complement the rest of the department’s security efforts. In terms of education, those that work within SOC and SMC have a background in security, while those of us on the development side are trained in everything that’s related to developing secure web applications, like OWASP and various standards and best practices.

What do you think is the biggest challenge in security?
Keeping up. Security moves quickly, new vulnerabilities and new technologies emerge all the time, so it can be hard to stay on top of everything.

How did you hear about Detectify?
A colleague from one of the security teams had heard about Detectify and mentioned it to me. We have so-called competence lunches at work, where we invite speakers to talk about interesting topics, so we invited Johan Båth (Detectify’s Customer Success Manager) to join us and share some insights about security and Detectify.

What was it like to get started?
This was actually one of the things that really impressed us! After his presentation, Johan quickly demoed the service for us and set up two profiles that we started scanning straightaway. Before the meeting was over, we got results we could look at. Getting started was incredibly quick and it’s one of the key features we need so team members can get on board easily.

Why did you choose Detectify?
Setup was quick and easy and we also liked the remediation tips. When Detectify discovers a vulnerability, you get a detailed description of how to fix it, so it’s not just a long list of issues, but a list of ways to solve them. This considerably lowers the threshold to work with security, which is absolutely crucial if you are going to do this type of work continually.

How do you use Detectify in your daily work?
We scan our production systems on a weekly basis. We are also working on setting up the Detectify API and once we start using it, we will be able to scan all applications that go through our continuous delivery pipeline. This way, we will scan everything in the test environment as well as what’s already in production. We don’t want to release something vulnerable.

What are the advantages of the continuous approach to security that Detectify offers?
It’s automated and you only need to act if something new turns up, so you avoid a lot of noise and that’s really important. It also makes security more transparent as every team has access to Detectify so they can go in and take a look at the findings. This way, we can discuss vulnerabilities, look at different solutions and make sure that security issues are resolved in a good way.

What is your favourite Detectify function?
I like the “new” finding tags that allow you to see what’s new and what’s happened since your last scan. They make it easy to pinpoint what you should look at. I also like the API and think all services should have one as being able to get things done using an API is a clear advantage.

Why would you recommend us?
It’s really easy to get started, it’s automated, and it gives you a good overview of the vulnerabilities in your web application, as well as suggestions on how to fix them. This makes it easier to get started with security and continue working with it because it’s not a one-off project, it’s really something you need to work with continuously.