EXGEN Networks Co., Ltd. is an identity management vendor that has been providing a consolidated identity management tool, LDAP Manager, for over 15 years. EXGEN started using VAddy in the lead-up to their recent launch of a new SaaS product. We asked two software engineers at the company, Satoshi Hashimoto and Kentaro Nomura, to talk about one of the top priorities for their ID management products: the precautions they have taken to secure it.
Since it was founded in the year 2000, our company has specialized in offering a consolidated identity management tool, LDAP Manager, to our customers. This is an on-premises solution that manages Active Directory, LDAP, and other cloud-based products on our customers’ intranets. In recent years there has been a shift away from conventional ID management software toward cloud-based Identity as a Service (IDaaS) solutions, so in 2016 we released a cloud-based version of our LDAP Manager software called “Extic.” We are currently focusing on the academic sector, with colleges and universities as the primary customers for Extic.
Because our products are responsible for identity management, security precautions are one of the most important issues for us to consider. We often sell our packaged LDAP Manager software to public institutions and enterprise companies; some of these customers list third-party security audits as procurement requirements and/or ask us whether we have followed the guidelines for building safe websites published by Japan’s Information-Technology Promotion Agency (IPA). For these reasons, we request an external audit whenever we add new features to LDAP Manager.
Though the security of our SaaS offering (Extic), on the other hand, is not subject to quite as much strict questioning, we can’t afford to rest on our laurels. Then again, when new features can be added to a SaaS product monthly, it isn’t realistic to request an external audit for every new feature release (as we customarily do for LDAP Manager). We stumbled upon VAddy, a vulnerability scanner provided under the SaaS model, while thinking about how to strike a balance between security and Extic’s relatively short release cycles.
VAddy’s Standard plan costs $100/month (as of February 2017) and covers three domain names. If you use a separate domain for each of your projects, that works out to under $35/month per project and is comparatively inexpensive compared to typical SaaS services that charge per user account.
I think that VAddy’s admin console is simple and easy to understand, but we had difficulty getting past the very first test. Though we thought we had followed all of the instructions properly—VAddy’s scan results page reported that it did not find any vulnerabilities—upon inspecting our server logs we discovered that VAddy had only scanned the login screen because we were not maintaining a session with our web application. We thought that there was a problem with our web application preventing VAddy from maintaining a session, but it turned out to be an issue with VAddy that the company’s support team was able to sort out in less than a week.
I personally wonder whether this low-level understanding of a web application’s behavior should be a prerequisite to using a vulnerability scanner—that would be more common for a functional testing tool, instead. At the moment, only someone capable of checking access logs to troubleshoot errors can take full advantage of an automated vulnerability scanner like VAddy.
Earlier I said that it wouldn’t be realistic to conduct external security audits on SaaS products with short release cycles, but we actually do continue to ask external firms to audit our code before major releases that add significant new features and pages. I still think you need to bring in a security professional to ensure that an application is secure when it is released.
However, if code must be rewritten because a vulnerability is found this late in the development process, it will have an enormous impact on your application’s release schedule. It’s important to use VAddy to nip vulnerabilities caused by regressions and programming errors in the bud.
In summary: we use VAddy to fix vulnerabilities that can be identified by ordinary software developers, but we enlist the help of security professionals to find vulnerabilities with complex attack vectors.
Though at one time we were planning to generate crawl data with Selenium, we had trouble maintaining our test cases; now we simply create crawl data and scan our site manually every time we add a new feature. As a small company focused on a relatively small set of features, we find it easier to handle these tests manually for the time being. I’d like to automate our use of VAddy somehow, but I don’t think this will involve invoking VAddy’s API as part of our CI builds: one scan per day is sufficient for our needs.
We are currently using VAddy on only one of our products: Extic. However, at some point I’d also like to start scanning LDAP Manager with VAddy. LDAP Manager has a web interface, and I think that VAddy would be an effective way to identify regressions in our code.
I think that VAddy has lowered the barrier to getting started with security tests. Until now, if we wanted to run our own security tests we needed to do our best with tools like OWASP ZAP. While I think that OWASP ZAP is a full-featured tool, it also takes a lot of work to set up and get running. VAddy eschews this complicated setup process and lets you start scanning right away. Because it’s so easy to get started, VAddy makes security tests seem much more accessible.
The lightweight nature of the tests led to another important realization: security tests (i.e. vulnerability assessments) can even be run during short software development cycles. I had always thought of this as one of the final phases of a large software development process, but VAddy has made security testing just another task in the day-to-day work of developing software.
Apart from that, I’d like to see more advanced scans that are easier to run. Specifically, I’d be interested in support for private networks, an idea that was proposed at one of last year’s VAddy meetups. If released, this feature would allow VAddy to scan web applications that cannot be accessed via a public IP address, thus obviating the hassle of setting up an Amazon EC2 instance and applying for permission to conduct penetration tests on it.
Founded in 2000
CEO: Junichi Edogawa
Chiyoda Ogawa-machi Kurosuta, 11th floor
1-11 Kanda Ogawa-machi, Chiyoda-ku
Tokyo, Japan 101-0052
MF Shin-Osaka Building, 5th floor
2-14-4 Miyahara, Yodogawa-ku
Osaka, Japan 532-0003