Oct 10, 2021

Introducing Oxeye - Cloud-Native Application Security Testing, Here We Come

Dean Agron
CEO & Co-Founder

Cloud native has evolved from a marketing term into a highly desirable and useful architecture choice, yielding significant benefits for designing, building, and deploying applications. 

Advantages of cloud native applications include increased flexibility and scalability, ease of management, faster time to market, and lower cost requirements. Because of this, it's easy to see why shifting security efforts to the left is becoming the default for many companies. But with that, comes the burden of shifting security to the responsibility of developers.

Here's why we built Oxeye.

What is oxeye?

In the sailing world, clouds getting darker on the horizon is called an oxeye. This means a storm is approaching and strenuous sailing lay ahead. 

Cloud native applications – the perfect storm

Application development is undergoing a major transition. Some might even call it a perfect storm – two critical changes occurring simultaneously resulting in major effects.

The first change is a technical one – applications are shifting to cloud native architectures. No longer are they a monolithic software construct. Rather, hundreds of loosely coupled microservices communicate with one another via APIs. At the same time, infrastructure on which applications run is no longer a physical or virtual machine. Instead, it’s an orchestrated group of containers and ancillary services that perpetually scale up and down. 

The second change is cultural – digital transformation and market requirements are sharply increasing the amount and pace at which code is deployed to production. Together with modern methodologies, these trends force developers and DevOps teams to be more proactive with respect to application security so as to assist understaffed AppSec teams.

We assessed these changes in founding Oxeye. Our focus is to help organizations prevent insecure apps from reaching production while reducing related process overhead. Oxeye is the first application security testing platform specifically designed for cloud native applications. 

In the cloud native era, flagging potential local code vulnerabilities is no longer sufficient. Such findings are meaningless without 1) fully understanding how a given application is built and operates, and 2) undertaking an intelligent, context-based analysis. It’s all about context.

Dev-Centric approach

For over 20 years application security testing (AST) has included four subsegments: 

  • SAST – Static application security testing provides code lines where vulnerabilities exist
  • DAST – Dynamic application security testing yields the reproduction scenario
  • IAST – Interactive application security testing uses code instrumentation for pointing out runtime vulnerabilities
  • SCA – Software composition analysis provides the library version

Such products can be useful for testing monolithic legacy software, but they can’t meet the challenges of securing cloud native applications in high-paced development environments. Here, fixing a vulnerability requires much more context than what AST can provide – the reproduction scenario and line of code aren’t enough. 

Flow is king in cloud native security

You must understand which components are vulnerable, the flow of interactions between microservices, and how the underlying infrastructure is configured – all of which could affect overall risk. It’s essential to understand the context of each vulnerability and calculate its true risk with respect to a given cloud native application. 

Enriching the findings from other cloud native components helps provide remediation guidance to your security teams. All of this data must be thoroughly processed, packed, and provided to both developers and AppSec teams by way of integrations with their existing systems.

Risk should be analyzed with respect to vulnerable flows. Entry points might be exposed to the internet, could process sensitive data, or perhaps have been deployed on a misconfigured container. Properly assessed, such information sets the priority of each vulnerability. 

Oxeye.io in a nutshell

Oxeye provides a cloud native application security testing solution designed specifically for modern architectures and cloud native apps.

In runtime, Oxeye seamlessly integrates with all application components and layers. It automatically performs intelligent, contextual analysis of each application vulnerability it finds – potential access vectors, exploit complexities, and related risk of exploitation.

Whether you’re developing cloud native applications to run on public cloud, private cloud, or on-premise, Oxeye’s CNAST (cloud native application security testing) platform empowers your developers to deliver secure cloud native applications with confidence.

Try it yourself – provide your contact information and we’ll schedule a free demo.