top of page

Legit Security CEO: Modern Software Threats and How to Redefine Application Security

We sat down with Roni Fuchs, CEO and co-founder of Legit Security, to discuss the evolving challenges for security teams in today’s fast-paced software development landscape. Recently named Best Application Security Solution by The Tech Ascension Awards, Legit Security’s ASPM platform is redefining how enterprises manage risk across their software supply chains. Fuchs also highlights how attackers are targeting the development lifecycle and the limitations of traditional application security approaches:

 Roni Fuchs, the CEO and co-founder of Legit Security

Software development has changed dramatically in recent years. How is this affecting security teams?

 

Software development has evolved rapidly, with developers embracing Agile, CI/CD, cloud-native, microservices, and generative AI. This fast pace leaves security teams struggling to keep up and gain visibility across the entire software lifecycle.

 

Key challenges include:

 

1. Speed and visibility: Security teams are often unable to match the rapid pace of development, making full visibility a challenge.

 

2. Siloed operations: Security teams frequently work separately from development and DevOps, hindering collaboration. Even within security, lack of coordination between cloud, application, and vulnerability management teams adds complexity.

 

3. Increased risk: A high volume of exposed secrets and other vulnerabilities, including duplicates and false positives, are overwhelming security teams. They struggle to prioritize fixes without clear business context. 

Legit Security

How are attacker tactics changing?

 

Sophisticated attackers are adapting to modern software development environments by expanding their focus beyond just front-end applications. They are increasingly targeting components of the software supply chain, including pipelines, build servers, libraries, tools, and processes. This shift allows attackers to exploit the vast number of unattended vulnerabilities and misconfigurations that exist due to the rapid pace of development and the siloed nature of security teams.

 

Supply chain attacks have led to significant global breaches, such as those at 3CX, SolarWinds, Codecov, and CyberLink. While strong application security controls are still necessary, the most devastating attacks are now often coming through software supply chains, taking advantage of the vulnerabilities that go unaddressed in these complex, interconnected environments.

  

Why is the current application security approach falling short?

 

Most security teams today approach application security by scanning code through one or more of these methods:

 

·      Static analysis (SAST)

·      Dynamic analysis (DAST)

·      Software composition analysis (SCA)

·      Pen testing

 

These scans are performed at different stages of code development, often by separate teams, leading to a fragmented approach. The main issue is that correlating results from multiple AppSec tools is time-consuming and challenging, with numerous dashboards generating noise, including conflicting or duplicate information.

 

This fragmented approach often results in misallocated resources, with teams spending time and money fixing "critical" issues that don't pose a real risk, while more significant vulnerabilities are overlooked due to low risk scores from systems like CVSS or EPSS.

 

Furthermore, most AppSec tools focus on application risks while overlooking vulnerabilities in the broader software factory, like those in CI/CD pipelines. They also lack business context from these pipelines. For instance, an Internet-facing application deployed to production daily and handling financial data is far more critical than a non-production test project. Without this context, security teams struggle to prioritize effectively, leading to misaligned efforts and exploitable blind spots, which have contributed to some of the most severe breaches. 

 

What is ASPM?

 

An Application Security Posture Management (or ASPM) platform gives security teams a clear view of the full software factory, its assets, its owners, its security controls, its vulnerabilities, and how all are related. With this view, security teams can ensure the integrity, governance, and compliance of every software release. 

 

What makes Legit’s ASPM offering stand out?

 

Legit’s ASPM offering stands out by providing organizations with a comprehensive view of risk across their entire software factory, from code to cloud. It unifies findings from multiple AppSec tools, empowering teams to rapidly fix the highest-risk issues.


Legit is the only solution that delivers unmatched SDLC visibility and discovery, enterprise readiness, and effortless usability. Designed from the ground up for large, complex development environments, the Legit platform supports a vast array of development and security tools. Its powerful management capabilities are second to none, successfully scaling across numerous Fortune 500 companies. Customers are onboarded swiftly and see immediate results with an intuitive, customizable self-service platform.


Ultimately, Legit helps enterprises build a scalable security program that not only reduces risk and protects software products but also makes compliance straightforward across even the most complex environments.

Comments


bottom of page