DevSec: Empowering DevOps with Security
By- September 04, 2014
We’ve had an interesting journey over the past few years at Tinfoil. Each year technology evolves, but security is often left behind. As more of you scan with us, we see more issues with current security processes. The biggest problem? Agile development.
We love pushing code often. We’ll make changes to our website or scanner on a daily (and sometimes hourly) basis. As a small team we’re able to run our security tests pre-deploy without a problem, but have noticed a large gap amongst our customers. Over the past year we’ve worked with some of the best and largest enterprise companies to establish a new security practice: empowering DevOps with security and bringing it closer to the source.
Security teams are small, much smaller than development teams. Some companies have a single person thinking about security issues and others have hundreds. A few years back either was OK. New code was deployed once every few months and went through a full QA and penetration testing process. With continuous integration systems and DevOps teams forming, security can’t keep up. New code is deployed daily, if not hourly, and security has yet to become a part of the testing process.
Tinfoil is now working with security teams to relieve some of the pressure so they can work on the big picture. Starting with our web application scanner, you can now pull Tinfoil into your DevOps process without adding any extra burden. Many customers use our API to hook into their CI systems, and we’re working on specific integrations with tools like Jenkins and CircleCI to make the process even easier. These integrations are set up so as soon as new versions of a website are pushed out, Tinfoil scans are run. As we find vulnerabilities we have many ways to export the data, including directly into your JIRA or issue tracker so your developers can fix the problems right away. Our goal is to simplify security while not compromising security.
DevSec is the joining of DevOps and security. Your engineers should feel empowered with security, not burdened by it. We’ll be posting a series of posts on best practices for getting your development teams up and running with a DevSec process. As always, you’re welcome to use Tinfoil to supplement this process. We welcome questions and feedback as we explore this new focus shift. Email or chat with us anytime.
Looking forward to more years of interesting adventures and challenges.
Redesign and New Features
By- June 05, 2013
It's been a while since we last blogged, but rest assured we've been hard at work improving Tinfoil for you by leaps and bounds. Today, we're incredibly excited to launch a brand new, easier-to-use, much more powerful UI for our leading web application security scanner. In addition to the UI refresh, there are a slew of new features in this release.
We'll be writing about each of these new features in turn over the coming days, but feel free to log in and play around if you're the kind of person that doesn't want to wait. We've changed the way we do things a little bit, but we think it's going to be much more intuitive. We're excited, in particular, about the activity feed that gives you all the information about what's been happening with your sites' security at a single glance.
Setting up authentication for the sites you scan with us is a lot easier now, and we've added a few new authentication methods. We have some new addons we're excited about as well, including our API and Jira Integration.
Many of our customers also kept requesting the ability to add additional collaborators because they didn't need all the features of a higher plan, but had a slightly larger team - we've now incorporated the ability to add additional collaborators a-la-carte.
The website should be more performant, be more visually pleasing, be easier to navigate and, most importantly, make it simpler to find and fix vulnerabilities in your own websites. We think we've achieved that with this release, and we hope you'll think so too. :)
As always, please let us know what you think, and send any and all feedback our way. Look out here for new blog posts coming to describe each of our new features in greater depth, and we still have some things cranking in our labs that we're super excited about.
Incidentally, you may have noticed we've moved our blogging platform as well, to be a little cleaner and make the posts easier to understand and parse. Let us know what you think! We'll be in our support chat, or you can email us, or you can find other ways to contact us on our contact page.
By- June 11, 2012
Summer's coming up and things are also heating up at Tinfoil! We wanted to quickly give an update of some of the bigger things we've been hard at work on.
Request Rate: We now allow you to specify the target request rate we'll hit your website at during a scan. Before we were defaulting to a max of 40 requests per second, but some of you wanted us to be a bit more gentle when starting off the scan. Just like before, we still slow down the rate if your website looks to be under strain but now you choose where we max out at. You can even update it mid-scan if your engineers are yelling at you :) And if you think you can handle it, Thor is ready to take things up a notch and make your scans even faster!
Efficient Scans: To help make scans even shorter we've been hard at work making the scanning infrastructure super smooth and efficient. Our scanner is an intelligent beast, learning about your website as it goes to find all of the various vulnerabilities. It now also learns about the various templates for your webpages and once positive it's safe will skip new copies of the template. We've seen this speed up the scan by up to 80% for highly repetitive websites!
Dismissing Issues: Once your scan is done you can view and interact with your report to learn about what we found and exactly how to fix it. Some of the issues we bring up are merely best practices rather than explicit security vulnerabilities. We now allow you to dismiss them if you'd rather not be bothered again!
New Office: We're moving! The new Temple of Tinfoil is located at 828 Bryant St, Palo Alto CA 94301. Feel free to stop by sometime to say hello or BBQ with us! We've had a great time at Dogpatch Labs Palo Alto (run by the awesome folks at Polaris Ventures) but now it's time to move and grow into our own space. By the way, we're still hiring.