Exclusive Interview by Diyanah Ali
11th July 2022 marked a meaningful date for E-SPIN group where UBsecure is on board in our journey of providing bigger value of services to customers. We are proud to present you our exclusive interview with CEO of UBsecure, Youko Matsuda.
1. Briefly introduce UBsecure. What is the background history of the formation of the company?
Throughout the provisioning of testing services, we had come to the conclusion that application vulnerability testing should be conducted internally within the company. So, sales and marketing of testing tools as well as testing services is the model and we established UBSecure company with the colleagues Our objectives were to make the testing services which were quite expensive and only can be conducted the small number of experts be reasonably priced.
Tools available back then were not from overseas and not readily satisfying the local requirements in Japan. Requirements here in Japan are to record how the testing were conducted as well as comprehensive coverage of the vulnerability testing itself.
Therefore, our aim was to develop and market those tools which would be appreciated by the end users and auditors.
2. How has the journey been like for UBsecure since its formation in 2007?
It took a while till we were recognized in the security market. We approached IT security testing services companies as well as the end users. But, the market found those overseas tool being standard and de-facto and it was not easy at all to replace them with our tools.
So, we focused on the financial institutions who needed some extra functions such as legitimacy and auditing functions. This worked well and our tools gradually gained the reputation. Back those days, it was not that easy to expect the end users use our tools themselves. The market clearly needed application vulnerabilities were secured but problems were the shortage of the testing resources. Therefor we promoted the scheme where we can arrange testing resources through the collaboration with staff argumentation companies. Both testing tools and testing engineering resources. This have brought us to the current stage we provide testing training courses and certificate program.
3.What drives the innovation and improvement in Vulnerability Explorer, Vex?
We tried to understand the requirements at the end users – enterprises and work out what is really needed for them to study Vex tools. At the result of this, we found two major functions were important: automatic testing and automatic screen transition functions. These functions were also needed at web application development companies, especially when those companies were developing the application, the level of transition quality was important.
Generating the screen transition and the repetitive accesses to the screen tested were quite important in the areas of security testing but of application testing itself. We received good feedback from the application developers and the end users.
Web application development companies need to submit screen transition chart as one of deliverables. It is an extra work to generate documents. If the testing solution can produce such documents as well as the testing itself, developers are free from such work. It is quite important that we bring those feedbacks and suggestions into the future tool development rather quickly. This is our motivation of continuous improvement of our tool development.
Foreign testing tools do not totally satisfy the local requirements. Vex reflect the market requirements onto the tool development and have grown to enjoy the no.1 position at the local market.
4.What makes Vex different from the other web applications security scanning tool? Explain the advantages of Vex.
Foreign tools as the end of testing indicate there are some vulnerability problems there. There are no functions which suggest the way problems are reproduced or the reason such problem was detected. So, in many cases, people who would have received such report are not able to decide how to rectify the problems. Vex provides the way problems can be solved as well as the testing result.
Following are some examples:
- GUI – double bite support. So, the reporting is available in Japanese and English languages.
- Automatic generation of screen transition
- Audit function is available, so testing is done correctly.
- Vex can accommodate unique testing patters which end user may require
- Testing patterns and vulnerability being tested are disclosed.
- Problem solving recommendations are provided as well.
5. Describes how Vex helps organizations. Why is it important to organization?
Controlling and managing the vulnerability problems, the organization will take consequential actions ie encouraging the URL site owners to have corrections. This will be led to reducing the pressures and burdens from audit or security management teams. Since DX promote and produce web applications in end, this is quite important and effective to the organizations. It is quite natural that enterprises introduce the countermeasures to the system security. This is a norm. It should not be limited to the system for the external connection. It should be applied to the internal system information management. Recently, the importance on SCM is becoming more important. This is not for one company. Systems are all connected to the external organizations. It may be within the group where that company is a member of. It could be a base trading system with other partner companies. Security is a key element in running businesses. But the security experts & specialists are not enough. Due to the fact the testing demand are quite high, testing cost becomes expensive. It is practically not possible to conduct testing from cost and resources from this viewpoint.
DX will be further accelerated. Development cycle and duration will be expedited. Outsourcing the testing will not be an answer. So, prior to the application production and release with no redundant i.e., redoing the development is very much important. Security testing elements be implemented at the development stages are sought after (shift left). Unexpected development cost due to the security requirements should be avoided. Vex can play a major role in this particular situation.
6. How do you see UBsecure in the future? Tell us your visions in bringing UBsecure forward.
At this stage, Vex is a tool at testing stage out of overall web application life-cycle. UBSecure will expand its know-how and technologies to other stages i.e., designing, development and operation stages. Vex as a scan tool, we will further improve its function and performance but plan to deliver those tools for management of the vulnerabilities (whether the problems can be fixed, confirmation when the fix or patch is applied). Vex will be overall management tool for the entire web application life cycle. Our vision has not been changed. UBSecure keep disclosing all the know-hows as services providers to the market. Our object is to contribute the society where everybody can enjoy the benefits of the testing tools. We will keep sharping our value in security and extend and expand our services areas to the future technologies. Through this exercise, we will produce higher quality products and services to the market which we are confident serve the problem solving at the end users. We will lead the security mandate in Japan where the security management is a little behind.