One of VAddy’s customers here in the Tokyo metropolitan area is Velc Inc., a software development firm that handles a mix of product and client work. Their SaaS product, Board, recently attracted the attention of other technology companies for its unique approach to customer support and security. Velc was even nominated as one of the startups featured in Japan's Best Venture 100 this year (2016).
We caught up with Velc’s CEO, Yusuke Tamukai, a few days ago to talk about security and his company.
Our core business is contract development work on both web and smartphone applications. My own personal strengths and professional experience are in developing line-of-business applications and systems, but these skills are widely applicable to a variety of other systems, as well (except perhaps systems in the video game and entertainment industries).
In 2013, we launched our own service based on the expertise we had gained doing development work for our clients. In 2014, we released a cloud-based business management system called “Board” that has been growing steadily ever since.
We have been able to leverage the experience we have gained running our own services to proactively make suggestions for our development clients.
We put a lot of time and effort into security from the day we launched Board. Business management systems, by their very nature, process sensitive data that must be handled with care. Of course, it’s important to keep all our customer data secure, but the data processed through Board is at the core of a company’s management and thus must not be leaked if at all possible. We are extremely sensitive to the risk of a data breach.
Watching many of our clients undergo security audits for vulnerabilities in the course of our contract development work has naturally made us more security conscious. We requested an audit from a security firm before we launched Board, but we asked our auditors to focus on areas that would not be covered by the Scutum web application firewall with which we planned to protect our service.
We tried using OWASP ZAP to run our own security tests before we started working on Board, but to be perfectly honest it was a bit of a pain to manage.
It doesn’t make sense to use security testing tools if you aren’t going to use them properly. While it’s true that we should have spent more time figuring out how to use OWASP ZAP properly, at the time we didn’t have any idea whether we were on the right track.
I think that OWASP ZAP is a powerful tool if you have the time to learn how to use it, but application developers like ourselves face significant hurdles against casual use. In my opinion, going to the trouble of running security tests but not bothering to do so properly is putting the cart before the horse.
VAddy doesn’t ask much of its users: as long as it can crawl a website with pre-registered URLs and parameters, it can scan the site automatically. You can even check your server logs to confirm that VAddy is crawling it properly. In this way, VAddy frees its users from many of the responsibilities of running and maintaining a vulnerability scanner.
Security is an extremely specialized field. While VAddy’s monthly cost of $100 may seem expensive to some, I think it is justified by the high level of specialization in the security industry.
Because we funded Board’s development with the profits from our client work, we were fortunate enough to be able to trade money for time. Unfortunately, startups that need to push a project forward on a limited budget may not have any funds set aside for security. Of course, if you run an internet business and can buy some measure of security for $100 per month, doesn’t it behoove you to do so?
Incorporating VAddy into our tech stack gave us a good opportunity to set up end-to-end tests for Board. This was necessary for us because VAddy needs to be told how to properly crawl each web application that it scans, but Board has so many pages that it wouldn’t be realistic to crawl them all manually.
We made two different types of end-to-end testing scenarios for Board; these are conceptually equivalent to unit tests and integration tests. We currently use VAddy exclusively for our “unit test” scenarios because the “integration test” scenarios involve a lot of repeated crawl data, which would take too long for VAddy to exhaustively scan.
Security is not something that most people will be aware of unless they intentionally familiarize themselves with it. In my case, I’ve developed a stronger sense of security as I’ve used VAddy. Even perusing VAddy’s scan logs (i.e. our test server’s access logs) can be rather instructional. Also, on the rare occasions that VAddy detected a vulnerability, I became more knowledgeable about security by tracking down the cause of the vulnerability and taking the appropriate steps to eliminate it.
No particular feature requests come immediately to mind, but I suppose it would be nice to have more options for managing crawl data. At the moment we have a small number of testing scenarios that can all be viewed on a single screen, but as we accumulate more testing scenarios over time I imagine that it would eventually become difficult to keep track of them all with VAddy’s current interface.
I’m satisfied with the current classes of vulnerabilities that VAddy scans for; by focusing on the most commonly exploited vulnerabilities, VAddy can keep scan times short and manageable. If VAddy’s coverage were to expand to include more types of vulnerabilities, however, it might not hurt to let developers choose which vulnerabilities to check with each scan—for example, a developer might choose to scan for some vulnerabilities daily and others weekly.
Tamukai struck me as a CEO with an extremely good sense of balance and the ability to see the big picture of his entire business. I think that this is what has allowed Board to garner attention not only for the quality of the product and its customer support, but also for its commitment to security, all while being run by a small number of employees.
With this in mind, it should come as no surprise that other technology companies have been contacting Tamukai about the steps he has been taking to keep Board secure.
— Katsuya Nishino
Kokuho 21 Building, Fifth Floor
2-29-1 Ichigayatamachi, Shinjuku, Tokyo