“We're trying to create a new approach to application security where you'll have a holistic checklist of all the mandatory security and compliance steps”

The world today is getting more dependent on the technology all around us. Every application that businesses today rely on might have a security loophole that attackers can effectively utilize to harness confidential information, disrupt business operations, or use as a steppingstone for broader attacks. Application security plays a critical role in ensuring that the underlying business information remains protected and the applications themselves are secured from a wide range of potential attacks. However, application developers today are leveraging agile development techniques with more frequent software releases, a wide range of diverse development tools, and pervasive use of open-source software and third-party components that create a sprawling and rapidly changing attack surface that makes application security much more difficult today.

This is where Legit Security is creating a difference. “Our mission is to secure and govern every organization's software factory, or the end-to-end software development environments that create applications, by protecting their software pipelines, infrastructure, code and people for fast and secure software releases,” said Roni Fuchs, Co-Founder & CEO, Legit Security.

Legit Security offers a SaaS-based platform that secures applications from code-to-cloud with a centralized application security control plane that provides visibility, security, and governance over rapidly changing environments. The platform combines unique automated discovery and analysis capabilities with hundreds of security policies to detect security issues, score security risks, detect drift from compliance frameworks, and assist in remediating them.

Unlike traditional AppSec tools and scanners focusing narrowly on code, Legit addresses the entire pre-production attack surface including software pipelines, software development lifecycle (SDLC) systems and infrastructure, and the teams that operate within it. By providing real-time application security posture management, security teams accelerate their productivity, effectiveness, and developer collaboration. The result is that this integrated platform keeps software factories secure and provides continuous assurance that applications are released without vulnerabilities.

Legit discovers and inventories code repositories, build servers, artifact repositories, packages, product units, collaborators, security controls and other SDLC assets. Each inventoried item is automatically labeled with useful contextual information. As Legit creates this inventory, adjacent pipeline systems and infrastructure are identified to create a graph of your software supply chain environment. Legit Security also provides pre-built integration with systems like Jira and Slack, orchestration tools, integration APIs, and remediation guides so that the users can prioritize and remediate issues fast. The platform also provides incident trends, compares the security posture of teams and pipelines, and provides automated tools for compliance reporting and collaborative governance.

According to the Legit Security team, as development became more complex there is an increasing problem of providing security at scale. When there are more engineers and technologies involved, the security and compliance teams have to cope with more work, and they have a lot more attack surface to deal with.

“We're trying to create a new approach to application security where you'll have a holistic checklist of all the mandatory security and compliance requirements. We'll observe them and help implement them to form a secure software development pipeline. Eventually organizations will deploy only software that has gone through all these processes and is approved for deployment and is “Legit”. Moreover, by leveraging the automated discovery and analysis capabilities of the Legit Security platform, organizations will save time, do more with their existing resources, and focus first on what’s most important to modify or remediate,” explains Lior Borak, Co-Founder & VP of R&D, Legit Security.

Helping to reveal the hidden vulnerabilities in the shadows of pre-production development environments, Legit Security enables businesses to auto-discover all SDLC assets, dependencies, and pipeline flows in just minutes, including a visualization graph of the complete inventory, visualizing how an application is built from code to cloud. Legit also auto-detects other third-party security products and their respective security coverage. If a new tool is added later, or an existing tool is disabled, it's automatically detected by Legit.

The Legit Security platform is flexible to score the overall security posture of a product line, or dive deeper to score individual areas within it. Legit Scores are based on adherence to security policies, which can be customized into compliance frameworks. These scores provide a breakdown report to see exactly what impacts the score to assist in creating an action plan to improve security and compliance.

“We can understand the entire pipeline, we call it code to cloud, which is from the moment you write code until it's deployed. Creating this comprehensive view is like connecting the dots across an unmapped landscape of development tools and pipeline flows. We’ve created some very unique technologies to accomplish this and correlate all the findings to then understand how code flows in your organization until it becomes an application that’s deployed,” explains Liav Caspi, Co-Founder & CTO, Legit Security.

Since the founding of the company, Legit Security has created a big impact in the way enterprises look at modern application security. Most of its customers are Fortune 500 and Global 2000, which was by design. The Legit Security platform was built from the ground up to support large, complex development organizations and provide support for a wide variety of the development and security tools found within them.

“When we built the Legit Security platform, we incorporated several advanced security posture management concepts from day one, which we knew would appeal to enterprises customers and also allows us to onboard a new customer within a few minutes. By adhering to an API-first model, our customer’s don’t have to install software agents, so seeing the value of the platform is immediate,” concludes Fuchs.