I initially did proof of value or concept walkthroughs of Debricked Security for the customer. I demonstrated the value of Debricked and how it enhances their current security architecture. With my cybersecurity background as a cybersecurity analyst, I explained the product from the NIST perspective, showing how NIST classifies products. Currently, it's an on-prem solution. I also showed them a demo, and they were very happy with how quick and effective Debricked Security is and how it aligns with the principles of defense-in-depth or shifting left. They were especially pleased with its capability to compare different code bases they’re using.
Allows for organizations and projects to manage open source vulnerabilities in an efficient, smooth and secure way
What is our primary use case?
How has it helped my organization?
When we engaged with the customer, I emphasized how they promoted the principles of defense-in-depth and shifting left. I’ve implemented Fortify or CyberEase on-prem and integrated Debricked Security with their on-prem Software Security Center (SSC). This integration adds value by allowing them to compare internal scans with open-source components used in their projects, providing 360-degree visibility, as the product promises. I showcased this practical use, demonstrating the visibility of bug densities across all source code. We used the SSC to combine Debricked Security data with on-prem data, giving them a detailed comparison of vulnerabilities and greater threat visibility. Since over 70% of software architecture projects use open-source components, not having visibility could put their projects at risk. They were very happy with this feature, as well as with the SBOM conversion. Their third-party contractor provided an SBBAX format, and I demonstrated, through a video proof of value, how simple it is to convert using a command line and upload it to Debricked Security to display on dashboards. They were pleased with the flexibility Debricked Security offers.
What is most valuable?
One of the most valuable features of Debricked Security is its ability to integrate with other tools like the Software Security Center and Fortify on Demand. This integration allows users to make comparisons and generate detailed reports based on the data that Debricked Security populates or aggregates. While this feature may not be unique, it is highly effective for detecting vulnerabilities and providing comprehensive insights.
What needs improvement?
Debricked Security has already implemented several improvements, which are great. One area that could be improved is simplifying the process of converting other SBOM data formats into files that Debricked can understand. While the conversion isn't difficult, it is pretty technical and could be challenging for non-technical users. Apart from that, all software features work seamlessly. The integration with endpoints took less than fifteen minutes, and everything from security conventions to automation rules works perfectly. As for AI, Debricked Security uses it effectively, reducing manual work and unnecessary analysis. It enhances data analysis, making it much easier for customers, which I appreciate about the tool.
For how long have I used the solution?
I have worked with Debricked Security for six months.
What do I think about the scalability of the solution?
Debricked Security is highly scalable, and I’d rate it a 10 out of 10.
How are customer service and support?
As for customer support, we've only contacted them twice, but the support was quickand effective both times.
How would you rate customer service and support?
Positive
How was the initial setup?
Setting up Debricked Security is very simple, even for non-technical users. The setup process took only about fifteen minutes, including integration with tools like Azure DevOps. Configuring automation rules, setting up users, and integrating other tools is straightforward, and the user interface is not overly technical. Regarding ease of setup, I’d rate it an eight out of ten.
What was our ROI?
Regarding ROI, Debricked Security has significantly reduced costs for my customers.
Previously, they had to rely on manual code reviews and lengthy security analyses, which took a lot of time. For example, in telecoms, where developing and launching apps is crucial for profitability, Debricked drastically cuts production time by scrutinizing and fixing code much faster. What used to take six months can now be done in three, ensuring the app is secure by design. This saves time and reduces costs, as they don't need to pay programmers for extended periods, cutting the time to market by fifty per cent.
What's my experience with pricing, setup cost, and licensing?
Regarding the cost, in my country, I would say it is expensive. However, I’m not directly involved in the sales process, so I don't have the exact license costs.
What other advice do I have?
I would rate the product ten out of ten.
From my experience as a security analyst and pen tester, I recommend using Debricked Security. It aligns perfectly with the defense-in-depth strategy and shifting left. These two principles are crucial, and Debricked is an essential tool for implementing them. Before even designing or approving an application, Debricked allows you to use its extensive database to compare different types of code, ensuring you're using secure, high-quality components. Shifting left means scrutinizing code components before any development begins, significantly enhancing cybersecurity resilience by ensuring everything is secure by design.
For example, Debricked can detect outdated or risky code versions, allowing you to make informed decisions and use the best possible code. This ensures your applications are secure by design before programming even begins. It's a vital part of the defense-in-depth strategy, and I highly recommend it to anyone looking to improve their security practices.
