In today’s ‘Digital India’, as companies embrace advanced technologies to grow their businesses, they also face significant cybersecurity obstacles. Digital assets like websites and applications have become easy targets for hackers. Verizon’s DBIR report of 2022 states that around 72 percent of security incidents are associated with web applications.
As a result, companies are now heavily relying on application security to protect their software applications from various types of attacks. This is where DevSecOps (Development, Security, and Operations) plays a crucial role. It’s an essential part of application security that involves introducing security in the earlier stage of the software development life cycle (SDLC).
To simplify this adoption and journey of DevSecOps for organisations, Chidhanandham Arunachalam (Chidha) and Shashank Dixit of Sumeru Software Solutions co-created Boman.ai. It’s an ASOC (Application Security Orchestration and Correlation) tool that provides a plug-and-play solution for integrating security automation in the development pipeline. ASOC is a category that Gartner – an IT research and consultancy company, has considered as a transformative technology and predicted a manifold increase in its market penetration in the coming years.
In India however, DevSecOps is still an afterthought for most organisations. It’s worth noting that while 76 percent of applications exhibit critical security flaws in the first scan itself, only 21 percent of Indian organisations incorporate security testing at the early stage of the SDLC. Thus, if security is not integrated early on, it can cost the company 30X more to fix the defects post-production.
As a solution, DevSecOps bakes in security at different phases of the SDLC with security automation to enable secure software development. But companies are still hesitant.
– Selecting the right set of security tools (open source or commercial) that perform multiple security roles in the development pipeline is a task. While open-source tools are challenging to maintain, commercial tools come with a significant cost.
– Security tools produce many false positives that require rework to achieve actionable insights.
– Organisations have limited budgets.
– Lack of security expertise to achieve successful DevSecOps.
Keeping all these challenges in mind, Sumeru Solutions developed Boman.ai to help organisations achieve intelligent DevSecOps in record time. Sumeru Solutions has been an empanelled vendor by CERT-IN for over a decade, providing cybersecurity products and offensive and defensive security services to 200+ customers. And with 20+ years of industry experience, Sumeru has some of the best security experts building innovative cybersecurity products and providing powerful and multi-faceted cybersecurity services that comprehensively protect businesses.
“Boman.ai is helping to unlock the full potential of digital transformation and empowering development with security at its core,” says Chidha.
This security orchestration and correlation tool easily integrates into any software development pipeline and brings multiple security scans in one place to achieve security automation. AI/ML engine helps to minimise the efforts of the development and security team by prioritising vulnerabilities and providing remediation support.
The carefully trained ML models remove false positives and correlate the scanner results to provide focused solutions and essential insights. One of the tool’s key features is that it can be used in non-DevOps environments and developers can run the scans from their systems.
Some other features include:
– Integration of multiple security scanners SAST, DAST, SCA, and secret scans.
– Results powered by AI/ML with minimum false positives.
– Vulnerability management.
– Unified dashboard with essential analytics.
– Jira integration to facilitate remediation workflow.
– Developer support for remediation.
– Security and compliance reports.
How does it work?
Boman.ai comes with an open-source CLI (command line interface) which can be integrated with any CI/CD environment. The CLI pulls the right security scanner in one place and performs multiple security jobs such as SAST, DAST, SCA, and secret scans. The overall implementation requires only a few minutes, and it supports all the major CI/CDs such as Jenkins, Azure DevOps, GitHub action, Gitlab, and more.
For non-DevOps environments, developers can directly use this CLI to run the scans. The scanned results are then uploaded to the Boman.ai SaaS platform where a machine-learning engine processes the results.
Machine learning models are trained with a large pool of scanner outputs and the models also help to correlate the data of various scanners. The system keeps switching to the most accurate model and adapts to any new tools integrated into the pipeline.
With customer inputs, these models become more aligned with their environment. Customers can also log into the SaaS platform to manage the vulnerabilities.
Additionally, the unified dashboard of Boman.ai helps to prioritise vulnerabilities, get developer support and insights, and to track the remediation.
The differentiating factor
Talking about their USP, Shashank explains, “We created a machine learning engine which performs deduplication and prioritisation of security scanner outputs. This helps to arrive at focused results and actionable insights in one platform, which are otherwise in silos in common scenarios.”
Here’s how it has an edge over other products in the market:
– The tool leverages AI/ML to help its customers remove false positives, prioritise vulnerabilities and provide remediation support.
– The correlation engine is developed to draw important inferences from the scan results.
– Sumeru’s team comes with years of strong application security consulting experience which is embedded in Boman.ai’s customer support. They work closely with customers to solve on-ground challenges.
– Boman.ai is designed to support customers who don’t have strong security skills or security budgets. It’s cost-effective and easy to use.
– Boman.ai supports remediation by providing prioritised vulnerabilities. It also has a solution recommendation engine powered by AI/ML which showcases the best applicable solution. Clients can also opt for support where the team of security experts guides the remediation process.
Who are the best users of the product?
Boman.ai is for all the organisations that are developing applications, consuming third-party applications, and having development teams. Industries such as IT and ITes companies, BFSI, healthcare, and insurance are the best fit. Boman.ai supports all the leading development languages such as Nodejs, Java, .NET, PHP, Ruby, and Mobile app technologies.
The road ahead
In the coming years, Boman.ai aims to empower more organisations among multiple geographies to adopt holistic software security.
To make this possible the platform will expand its integrations with more custom-built, open source, commercial security, DevOps tools, increase support for developers, and leverage AIML to enhance organisations’ application security.
Chidha says, “Boman.ai is revolutionisng the way software is built & deployed and thus, ensuring a safe & secure world.”