The start-up wants to democratize the integration of security into development processes, by playing on economic accessibility, but also on attractiveness for developers.
GuardRails just blew out its first candle a few months ago. It was in January 2018 that Stefan Streichsbier founded this young company in Singapore, with many years of experience in penetration testing and vulnerability audits, particularly in Southeast Asia, over the past 10 years.
During this time, development methods have evolved significantly, with the transition to Agile methods and then to DevOps, the application development lifecycle has considerably accelerated. In this context, "there is no longer any time to perform a penetration test over two weeks, while at the same time there have been 50 updates".
According to him, the tools that are supposed to help integrate security into development processes "are designed for security actors [...] you have to be an expert to understand what these tools deliver". So, the observation is simple: "developers hate these security tools".
And it doesn't stop there. Stefan Streichsbier notes that these tools are generally expensive and, in the end, rarely accessible to those multitudes of developers who contribute to open source projects hosted on a GitHub and other platforms that will one day be integrated into larger projects: "those who need them most have access to fewer tools"...
It is from these observations that Stefan Streichsbier decided to create GuardRails, in order to make "security accessible to as many people as possible", both economically and practically, "taking into account the developers' user experience".
GuardRails is therefore designed as a platform to make open source security tools easily accessible, by initially integrating them with GitHub pull requests; Support for GitLab and BitBucket will be added later. The platform performs static analysis of the source code to detect potential vulnerabilities, including unsecured use of SQL queries, regular expressions, dangerous functions, poorly managed authentication, file management or dangerous configuration, etc. Dependencies are also analysed for known vulnerabilities. The platform also tracks hard-coded secrets.
The emphasis is on simplicity: "when you open a pull request, the analysis is launched automatically, and new problems introduced by code changes are presented - and only these". Details of potential vulnerabilities are immediately accessible in the same interface, without having to go to a specific console.
With GuardRails, the objective is not to try to remove all potential vulnerabilities, but to remove the most obvious ones; those that would be easiest to exploit and cause the highest damage: "there are so many vulnerabilities and attack vectors... Especially, if we limit ourselves to the Top 10 in the OWASP ranking, there has not been much evolution over the last 10 years".