We recently reached out to Kota Sakoda, the CEO of Fukuoka-based Glue Inc., to ask him to talk a bit about his experiences using VAddy at his company. Glue Inc. is a software development agency that specializes in video distribution technology and even has a few SaaS offerings of its own.
We started off as a small team of freelance engineers primarily doing contract software development work; eight years later, in 2011, we incorporated to focus on building our own video distribution and streaming services (Gemediar and 1meeting). However, we do continue to build software for other companies using the knowledge and expertise we developed building and running our own services. Though our own services are developed in-house with just two engineers, our client work involves collaborations with external partners.
Though in the beginning we were able to vouch for the security of our software because we developed it entirely in-house, as our business expanded we had to start working with external developers who were not necessarily as security conscious as we were.
Meanwhile, helping our enterprise clients conduct their annual vulnerability assessments gave us an appreciation for all the work that goes into a thorough security audit―from the initial preparations to the final reports. Though it would not be technically or economically feasible for a company of our size to conduct similar audits on our own, there are tools available to help our development teams maintain a consistent overall level of security for both in-house and outsourced software projects.
VAddy ticked all the right boxes for us: in particular, it allowed us to automatically scan for vulnerabilities even without having any particular security expertise. Before we started using VAddy, we only took basic security measures―such as examining our source code and keeping our middleware up to date―and we were worried that we could only expose vulnerabilities through code review.
We tried several open source security tools in our search for a solution, but we found them to be generally unpolished and not very appealing. Our clients found it reassuring to hear that we were using a commercial tool provided by security experts to continuously scan for vulnerabilities in our software.
We’ve recently noticed that our clients are becoming more security conscious. Although it’s natural for companies to pay close attention to how meticulous their contractors are, an increasing number of companies now also express interest in how secure the finished product is.
It can be difficult to describe the quality of our work objectively, but being able to clearly state that we are using VAddy to ensure security is a big deal for us. We are happy to point out that this is a legitimate tool created by a company that not only has experience defending against actual cyberattacks, but that also develops and runs its own web application firewall (Scutum). When meeting with new clients, we now tell them that we are internally running security tests with VAddy; so far, they have seen the value in this.
At $100 per month, VAddy is well within our company’s engineering budget. Going forward, we’d like to actively promote our use of VAddy as one of the advantages of the services we offer.
Once we started using VAddy, we noticed that our external development partners started thinking about security differently, too. Upon hearing that we run security tests internally, they were more likely to ask us how to implement secure coding practices (and thus avoid running afoul of VAddy's scans) before starting on a project. . Of course, this is not to say that we had lax standards before we made VAddy part of our development process―VAddy was simply the catalyst that got us to think more carefully about the overall quality of our software, including how secure it is.
Furthermore, by reassuring our clients that we are continuously running security tests, we drastically reduced the number of times clients contact us with concerns about web vulnerabilities.
At the moment we are only using VAddy for our contract development work, but we will also start using it with our own services as soon as we get a chance to set it up. First on the list is KnowBuild, the intranet video learning site that we recently launched, because―by its nature―it involves handling a large amount of customer data.
Editor’s Note: We actually conducted this interview remotely between Fukuoka and Shinjuku via 1meeting, Glue Inc.’s video conferencing service, which makes it easy for anyone to set up a video conference in their web browser (no user registration is required). We had a pleasant chat with good audio quality throughout.