Appsec Phoenix Facts

Tech Stack

  • Infrastructure: Amazon AWS (ECS, RDS, Cognito, CodePipeline, CodeBuild, Lambda)
  • Back-End: Kotlin, Spring Boot, Hibernate, PostgreSQL, GraphQL, Docker
  • Front-End: Angular, TypeScript, Nebular, Chart, RxJS, Bootstrap

Methodology, Tools

  • Scrum, Jira
  • Confluence
  • GoogleDocs
  • Github

Overview

Appsec Phoenix was created by Francesco Cipollone. As the founder and CEO, Francesco leveraged his long years of experience as a seasoned entrepreneur in the cybersecurity industry to build a powerful team with the ability to deliver an innovative product. The Appsec Phoenix platform is an end-to-end vulnerability management platform that focuses on workflows, threat feed, and real-time data. It implements the Phoenix Cybersecurity framework methodology, facilitating risk-based and metric-based vulnerability management for businesses across all industries. Simply stated, this product combines a set of security scanners and solutions under a single user account, providing a single dashboard with aggregated information and reporting possible security issues. This intuitive, all-in-one dashboard helps clients effectively and easily detect and remediate the latest cyber vulnerabilities. The platform offers easy-to-decipher graphic insights that allow users to visualize vulnerabilities across all types of systems and software, thereby prioritizing them and making it easy for IT teams to eliminate security loopholes. We joined the project at the very beginning, in the fall of 2020, and offered our services as a dedicated full-time team.

Business Goals

The global mission of the project is to close the gap between businesses and developers in creating secure software. Appsec Phoenix believes in making Application Security S.M.A.R.T. and in reducing friction between management teams and developers in organizations across the world. The core business value of Appsec Phoenix lies in its ability to save time for business cybersecurity teams by identifying and fixing issues and preventing money loss for businesses vis-a-vis costly brand- and reputation-damaging data breaches.

Technical Challenges

The key challenges of working on this project included the following:

  • The usage of Amazon Cognito as a client choice
  • Quick integration with multiple third-party security products
  • Reconstruction of the domain model for the integration of cloud-infrastructure scanning solutions.

Solution

The creation of the AppSec Phoenix platform was a collaborative effort by the client and our teams. For the most part, the architecture and domain model of the project was created on the client’s side, but we actively integrated our ideas. As for the actual implementation, we delivered every software development aspect, thus transforming the brilliant idea into reality.

Regarding the challenges and technical highlights of the project, none of our experts had any previous experience working with Amazon Cognito. This is an Amazon Web Services product that facilitates authentication, authorization, and user management for web and mobile apps. We needed to quickly learn how to work with Amazon Cognito in order to implement authorization and authentication functionality on the platform. When we successfully achieved this, we found out about more challenges concerning this AWS product—it was hard to scale and customize for our goals, so we needed to put in additional efforts to make it suitable for proper platform development.

As for integration with third-party security solutions, we began with Netsparker, a web scanner. The plan for the first version of MVP was to integrate a few scanners, each responsible for its own respective area: scanning websites, repositories, and libraries. During the development process, it was decided that we needed to include more scanners to attract more customers. We have currently integrated with 10 leaders on the security products market, including the following:

  • Netsparker and Acunetix for web testing
  • Cloud Guard (Dome9), AWS Security Hub, and Prisma Cloud for the testing of the cloud infrastructure
  • SNYK for scanning of libraries
  • Fortify, Checkmarx, Code Inspector, and Veracode for the code analysis.

“At first, we started with application scanners, like Netsparker and Acunetix. But later, the client decided to integrate with security products that are able to scan the cloud infrastructure. This is on an entirely different level of security products, compared to scanners. The main blocker was the fact that our domain infrastructure was created for application scanners, so we had to rebuild it according to the new demands, adding a lot of significant changes to the code. This was required for mapping of the Cloud Guard (Dome9), AWS Security Hub, and Prisma Cloud, getting the correct results, and normalizing them.”
—Vitalii Rastvorov, Tech Lead from SPD Group

It is important to acknowledge the effort of our user interface team. The team consisted of two front-end developers and a UI/UX designer, who created from scratch the 1.0 version of the user interface and completely redesigned it two months before the release date set by the client.

We also had an issue with the TimescaleDB built on PostgreSQL and optimized it for fast ingest and complex queries. We used this open-source time-series database to read and visualize data for reports. The TimescaleDB was used as a statistical solution for the first few months, but we later felt the need for something more scalable. So, we decided to remove the TimescaleDB and use our own custom statistical solution for reading and visualizing data for reports.

Results

On September 7, 2021, after over a year since the active development process commenced, Appsec Phoenix launched its brand-new platform dedicated to smart software security and risk-based vulnerability management. This marks the release of a fully functional platform for investors and for user testing. We are proud to be a part of this project and look forward to achieving newer and higher goals with it, including leveraging the power of Artificial Intelligence and building solutions to collect the security statistics of the biggest entities.

While developing this version of the product, our team learned to integrate a third-party scanner or a security product, based on their credentials, into the AppSec Phoenix in one iteration. We developed our own process for the swift implementation of third-party solutions, and the platform is now ready for new integrations. Furthermore, we successfully rebuilt a platform to operate using security products that are able to scan the cloud infrastructure. We now have a valuable production experience with the new identity provider, AWS Cognito, and continue to fine-tune it to fit the product better.

ARE YOU INTERESTED IN SOFTWARE DEVELOPMENT SERVICES?

Contact our experts to get a free consultation and time&budget estimate for your project.

Contact Us
Roman Chuprina Technical journalist at SPD Group, covering AI/ML, IoT, and Blockchain topics with articles and interviews. September 27, 2021
Oleksii Labay Project Manager & Team Lead at SPD Group, working on a project in the Risk Management industry September 27, 2021
Vitalii Rastvorov Tech Lead at SPD Group working on a project in the Risk Management industry September 27, 2021