Ostorlab Q&A with Safety Detectives


Wanna learn a bit more about Ostorlab? We answered Aviva Zack’s questions for Safety Detective about the Company, our mission of building Autonomous Security, and a bit about us :).

You can read it here and on Safety Detective!

Please share your company background, how you got started, and your mission?

Ostorlab was founded in March 2020 with the ambition of building an autonomous security platform. Our mission is to drive continuous monitoring, with advanced detection and enable automated mitigation and remediation of vulnerabilities.

The genesis of Ostorlab dates back to 2016. As penetration testers, we were struggling with conducting mobile apps security audits. The preliminary configuration is brittle and tedious, legacy scanners integration is painful and often resulted in too many false positives, and insufficient coverage. As we weren’t satisfied with the process and outcome, we created our own scanner and we made it available to anyone online. Our guidelines were simple: simple to use with extensive coverage.

Quickly after the launch, adoption was so fast that our servers went down several times because of the heavy load!

At the same time, while finding vulnerabilities is hard, fixing them is harder. It taps not only into technical challenges, but also operational, organizational, and resource constraint management. While the team was baking their collective experience from companies like Google Datadog and Thales, and embedding requests from the community, the platform evolved from simple detection to managing a fully automated vulnerability management cycle.

One year and a half later after the creation of Ostorlab, it is now trusted by 4500 users in around 40 countries.

What is the main service your company offers?

Ostorlab is offering an autonomous security scanning solution that currently covers Mobile, Web, and API applications.

Our SaaS platform provides a generous free community plan that honors the roots of Ostorlab, a community-driven solution.

It manages and monitors your applications, scans them for security and privacy issues, lists their components and APIs. It leverages advanced analysis capabilities to find vulnerabilities in dependencies, list hardcoded secrets, detect insecure programming patterns, find privacy leaks and intercept backend communication to identify server-side vulnerabilities.

Ostorlab also provides tooling to enable teams to collaborate and expedite fixes and seamlessly integrates with several platforms like Jira. Our users benefit from a true glass-box view into the security of their organization.

Ostorlab focuses on building a solution that enables security professionals, developers, and decision-makers to work together and collaborate on a single platform.

What is something unique that helps you stay ahead of your competition?

The most challenging aspect to build robust vulnerability detection tools is the sheer volume of vulnerability classes and the different ways they can materialize. Automated tools tackle it by throwing security analysts that manually create detection rules. With this approach, only 5% of known vulnerabilities are covered and 50% of results are falses positives and false negatives.

Ostorlab’s unique approach consists of using existing known vulnerabilities to create accurate machine-generated patterns of how a particular vulnerability class can materialize.

This allows us to scale our detection and address the decade-old false positives and false negatives challenge with a structured approach.

Ostorlab covers 10x more vulnerabilities than any existing solution today and our platform continues to automatically improve and evolve.

What do you think are the worst cyberthreats today?

The most challenging threat that security teams need to battle with today is complexity.

Organisations used to have all of their infrastructure in a data center behind a firewall, managing a set of web applications, and pushing code once a month or once a quarter with predefined release cycles.

Now releases happen dozens to thousands of times a day, companies have dozens if not hundreds of internal and external Web, Mobile, and API services, even small ones. They have on-prem and multi-cloud presence, use multiple SaaS platforms that manage production, handle payroll, provide mailing or storage services.

Driven by a competitive and fertile software landscape, this complexity and agility are challenging security teams' practices. They need to operate at the same speed and not interfere with the velocity of their respective organizations. Tooling must be aligned with it.