Welcome to our blog.

So, you’re looking for SAST and DAST. Or, you’re looking to understand what SAST and DAST tools are: What are the key differences? How do you use them together? Do you need them?

You’re in the right place. Let’s dive in.

But first, the TL;DR:

• TL;DR: SAST checks your code for vulnerabilities before your app runs, while DAST tests your app while it’s running to find issues that pop up in real time.
• SAST is like an expert dev reviewing your code, DAST is like a hacker trying to break in.
• Using both together helps catch security problems from start to deployment, and ensures your app is safe.
• Shameless plug 😇 - if you’re looking for SAST & DAST, check us out. Get your SAST & DAST covered, so you can get back to building.
  

SAST & DAST: What you need to know

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are two essential methods in application security that help identify vulnerabilities in software.

What is SAST?

SAST, or Static Application Security Testing, is a testing method that analyzes an application's source code in a static or non-running state. It is a “white-box” testing technique.

SAST allows developers to identify vulnerabilities early in the development (SDLC) process, like code development or code review phases. SAST tools are easy to integrate into CI/CD pipelines and IDEs, so you can secure your code as it's written and scan your code before committing changes to the repository.

SAST can detect vulnerabilities like SQL injection, cross-site scripting (XSS), hard-coded credentials, and other OWASP Top 10 vulnerabilities. SAST tools, like Aikido SAST, scan and compare your code to databases of known security vulnerabilities like the National Vulnerability Database (NVD).

Think of it like this, SAST is like having an expert review your code with a fine tooth comb, who gives you immediate feedback on issues they discover.

That being said, SAST is limited and cannot be used to detect runtime or environment specific vulnerabilities, like configuration errors or runtime dependencies. Scanning code requires that you choose a SAST tool that supports your programming language.

Why does SAST matter?

This early detection is crucial as it allows developers to address issues before the application is deployed, making it easier and less costly to fix problems early. SAST is proactive security, it can save a lot of time - and headache - for the future.

What is DAST?

DAST, or Dynamic Application Security Testing, is a testing method that evaluates an application while it is running.

While SAST sees inside your source code, DAST does not require source code access. Instead, DAST takes an outsider approach to testing your applications security.

DAST simulates attacks on the application much like a hacker would. It is a “black-box” technique.

DAST can also be called “surface monitoring” as it tests the surface or front-end of the web app. DAST tools interact with the application via the user interface, testing various inputs and observing the outputs to identify vulnerabilities such as authentication issues, server misconfigurations, and other runtime vulnerabilities. As DAST works at runtime, that means you need a working application before DAST tests make sense, which is usually around the pre-production and production phase.

Because DAST works externally - and uses standardized protocols like HTTP to connect to your app - DAST is not tied to a specific programming language, unlike SAST.

Why does DAST matter?

This method is important for detecting issues that you cannot detect before deployment. DAST covers you for different categories of errors. DAST identifies risks that come up when the application is up and running, like server or database misconfigurations, authentication and encryption issues that allow unauthorized access, or risks from web services that your application connects to.

Using SAST and DAST Together

Using SAST and DAST together is recommended. Combining SAST and DAST gives you broad coverage across the software development lifecycle. Cover yourself early with SAST and ensure you have real-world resilience later with DAST. This combination allows teams to address vulnerabilities at multiple stages and ultimately leads to more secure applications.

Cheatsheet: SAST vs DAST

Testing Approach:

• SAST: White-box (inside-out) testing. It does not require a running application, working “like an expert developer.”
• DAST: Black-box (outside-in) testing. It requires a running application, testing “like a hacker.”

Access to Code:

• SAST: Requires access to the source code.
• DAST: No access to the source code is required.

When to Use in Software Development Lifecycle (SDLC):

• SAST: Used early in the SDLC. Integrate into your CI/CD and IDE to secure code as it is written.
• DAST: Used later in the SDLC, starting in the pre-production and production phase.

Type of Vulnerabilities Detected:

• SAST: Detects security issues in source code, such as SQL injection, cross-site scripting (XSS), and hard-coded credentials.
• DAST: Detects runtime and environment-related vulnerabilities, such as misconfigurations.

Key Advantages:

• SAST: Identifies vulnerabilities early, allowing for easier remediation that saves time and money.
• DAST: Tests application behavior as a real attacker would, covering a broader attack surface, catching different categories of errors (like configuration issues), and producing low false positives.

Key Limitations:

• SAST: Language and platform-dependent, may produce false positives, and cannot discover runtime or environment-related issues.
• DAST: Cannot pinpoint the exact source of vulnerabilities, requires a running application, and vulnerabilities are more expensive to fix at this stage.

Popular Open Source Tools:

• SAST: Semgrep, Bandit, Gosec.
• DAST: ZAP, Nuclei.

Keeping track of all the parts in an application is no easy task. Developers often use open-source libraries, frameworks, and dependencies, which makes it harder to ensure software is secure and reliable.

A Software Bill of Materials (SBOM) helps by listing every component in an application. This inventory lets organizations manage risks, stay compliant, and improve cybersecurity.

As SBOMs become more important, tools that make creating and managing them easier are in high demand. This article looks at SBOM tools, their key features, benefits, and the top options available today.

Understanding SBOMs and Developer Needs

An SBOM (Software Bill of Materials) is a list of everything inside a piece of software—libraries, frameworks, dependencies, versions, and metadata. It helps developers, security teams, and companies keep track of what’s in their code.

Manually tracking dependencies is a nightmare, especially in large projects. SBOM tools automate this by scanning code, identifying components, and keeping inventories up to date.

They also flag vulnerabilities and licensing risks by checking against known databases. With regulations like the 2021 Biden executive order requiring SBOMs for federal software, having the right tool ensures compliance and makes security audits easier.

Key Features of Top SBOM Tools

When choosing SBOM tools, focus on those that support standard formats like OWASP CycloneDX and SWID tags. These formats ensure compatibility, simplify data sharing, and help meet regulatory requirements while improving collaboration with partners. Consider these aspects when selecting your SBOM tool:

• Integration in your stack: The tool should work effortlessly with your CI/CD pipelines and build systems. This allows automatic SBOM generation during development, keeping them up-to-date with the latest code changes and reducing manual effort.
• Dependency Visibility: A good SBOM tool provides clear insights into complex dependency chains and transitive relationships. This helps developers understand potential vulnerabilities and manage updates across all dependencies.
• Risk and Compliance Insights: Look for tools that integrate with vulnerability and license databases. This ensures timely risk assessments, prioritizes remediation efforts, and helps maintain legal compliance.
• User-Friendly Interface: A simple, intuitive interface is essential. Features like comparison, editing, and merging make collaboration easier and help developers quickly access the information they need to secure software.

In general, choose a tool that simplifies your workflow, enhances security, and keeps your software compliant.

Best Open Source and Free SBOM Generators

Open-source SBOM tools offer a cost-effective way to manage software components while ensuring transparency and community-driven enhancements. These tools are valuable for organizations prioritizing open-source solutions and leveraging community contributions for continuous improvement.

1. Syft by Anchore

Syft, developed by Anchore, serves as a versatile command-line interface (CLI) tool that extracts SBOMs from container images and filesystems. Its adaptability across OCI, Docker, and Singularity formats makes it an ideal choice for diverse container ecosystems. By producing SBOMs in CycloneDX, SPDX, and its proprietary format, Syft aligns with industry standards, catering to developers and security teams.

Syft integrates effortlessly into existing development workflows, offering a streamlined inventory management solution. It caters specifically to modern containerized environments, enabling comprehensive tracking of software components from development through deployment and ensuring a consistent view of application dependencies.

2. Trivy

Trivy by Aqua Security is a powerful open-source scanner designed for security and compliance. It detects vulnerabilities, misconfigurations, and exposed secrets across container images, filesystems, and code repositories. Supporting multiple languages and package managers, Trivy seamlessly integrates into CI/CD pipelines, enabling automated security checks throughout development.

As a GitHub-hosted project, Trivy benefits from continuous community contributions, evolving to meet modern security challenges. Its support for SBOM generation in SPDX and CycloneDX formats enhances transparency and compliance, making it an essential tool for organizations prioritizing software security and open-source best practices.

Top Commercial and Enterprise SBOM Tools

Exploring enterprise SBOM tools reveals solutions crafted for comprehensive software oversight, offering features beyond component enumeration. These tools integrate seamlessly into enterprise environments, providing enhanced oversight, compliance, and operational agility.

3. Aikido Security

Aikido Security excels by delivering detailed insights into direct and indirect software dependencies, detecting subtle risks within software packages. Its in-depth license analyses within container environments provide organizations with a thorough understanding of compliance challenges.

Aikido’s advanced analytical models translate legal terms into actionable insights, simplifying risk management. This approach empowers security teams to prioritize actions efficiently, ensuring a proactive stance in mitigating potential threats.

4. FOSSA

FOSSA automates SBOM creation through deep integration with version control systems and development pipelines, streamlining operations for development teams. It provides comprehensive visibility into software components, mapping dependencies to licenses and vulnerabilities, supporting robust security practices.

The tool enhances compliance and security by delivering insights into open-source license requirements and vulnerabilities. This capability allows organizations to manage risks proactively, ensuring issues are addressed before escalating into production environments.

5. Anchore Enterprise

Anchore Enterprise offers a holistic framework for managing SBOMs, embedding itself as a foundational element within software supply chain security strategies. It encompasses the entire lifecycle of SBOMs, from creation to post-deployment monitoring, ensuring continuous oversight and security.

Supporting diverse formats, Anchore Enterprise employs advanced scanning tools to detect vulnerabilities, providing a comprehensive solution for managing software risks. This capability enables enterprises to maintain a secure and compliant software environment, safeguarding operational integrity.

6. Mend

Mend weaves SBOM generation into its comprehensive software analysis suite, providing dual capabilities in tracking components and managing vulnerabilities. By offering insights into open-source licenses and vulnerabilities, Mend facilitates thorough risk evaluation, ensuring software quality and compliance.

The tool delivers remediation strategies and updates SBOMs dynamically, aligning security measures with ongoing development activities. This approach supports agile operations, allowing organizations to swiftly adapt to emerging threats and maintain a resilient software supply chain.

Choosing the Right SBOM Tool

Take these aspects into account to select the right SBOM solution for your stack:

• Start with your stack: Choose an SBOM tool that fits your development and deployment processes. Look for tools that integrate seamlessly with your existing build systems and automation frameworks to keep SBOMs updated automatically.
• Know your requirements: Understand the SBOM formats required for your industry or regulations. Pick tools that support standardized formats to ensure compliance and smooth collaboration across your software supply chain. -
• Focus on risk management: Select tools that offer clear, detailed reports on vulnerabilities and licensing issues. A user-friendly interface makes it easier for teams to address risks quickly and maintain security.
• Think scalability: If you manage a large software portfolio, choose tools that can handle high volumes of components without slowing down. Scalable tools ensure reliable oversight as your development grows.
• Weigh open-source vs. commercial options: Open-source tools are cost-effective and flexible, while commercial solutions often provide advanced features, better support, and stronger integrations. Match the tool to your organization’s needs for both short-term goals and long-term growth.

Adopting an SBOM tool early helps you avoid compliance issues and keeps track of risky OSS licenses your team might use. Start protecting your software now—try Aikido for free to get a clear view of your licenses and automate SBOM management.

Snyk is widely recognized as one of the top security tools for developers, especially when it comes to finding vulnerabilities in open-source code, containers, and infrastructure as code. However, no tool is perfect for every scenario and access to the Snyk platform comes with a price tag. Depending on your needs, there may be Snyk alternatives that provide better integration, features, or just better value for money.

Here, we'll look at 5 Snyk alternatives and why they might be a better fit for your organization.

1. Aikido Security

• Why It’s Better: all-in-one appsec
• Overview: Aikido integrates open-source scanners into a 10-in-1 vulnerability management platform, delivering exceptional value with affordable pricing tiers.
• Advantages:
• Strong focus on noise reduction
• 10-in-1 vulnerability scanners
• Continuous scanning throughout the entire development lifecycle
• In-depth policy enforcement capabilities
• Why It Might Be Better than Snyk:
• While Snyk provides a good base of powerful security scanners, Aikido is superior for organizations that need all-around vulnerability protection, license tracking, and compliance features, especially in highly regulated industries - and all that affordably priced.

2. Dependabot

• Why It’s Better: Seamless Integration with GitHub
• Overview: Acquired by GitHub, Dependabot offers automatic dependency updates for your projects. It continuously monitors your dependencies for vulnerabilities and automatically generates pull requests with updates.
• Advantages:
• Native integration with GitHub repositories
• Automated pull requests and patches with minimal configuration
• Simple, lightweight, and easy to use
• Free for public and private repositories on GitHub
• Why It Might Be Better:
• If your codebase is hosted on GitHub, Dependabot’s native integration makes it a natural choice. It’s also fully automated, which means less manual work compared to Snyk’s more interactive approach.

3. SonarQube

• Why It’s Better: Code Quality Meets Security
• Overview: SonarQube is a code quality and security tool that scans codebases for both code smells and security vulnerabilities, making it a great option for developers looking for a tool that blends security with code health.
• Advantages:
• Combines code quality checks with security scanning
• Broad language support and community-driven plugins
• Integrates with popular CI/CD tools and DevOps pipelines
• Detailed reports on both technical debt and vulnerabilities
• Why It Might Be Better:
• Suppose you are looking for a tool that goes beyond just security vulnerabilities and provides insights into code quality. In that case, SonarQube’s ability to highlight maintainability and performance issues is a big plus.

4. Clair

• Why It’s Better: Container Security Focus
• Overview: Clair is an open-source vulnerability scanner primarily focused on Docker and OCI container images. It integrates directly into your container pipelines, analyzing vulnerabilities in images.
• Advantages:
• Strong focus on container security, especially for Kubernetes environments
• Seamless integration with container registries like Docker Hub and Quay.io
• Open-source, allowing for customization and integration with other tools
• Continuous scanning for known vulnerabilities
• Why It Might Be Better:
• While Snyk covers container security, Clair’s exclusive focus on containers allows it to offer a more fine-tuned and granular approach. For organizations deeply invested in containerized environments, Clair may provide better visibility and customization options.

5. Aqua Security

• Why It’s Better: End-to-End Cloud Native Security
• Overview: Aqua Security provides a holistic solution for securing containers, serverless functions, and other cloud-native applications. It covers a wide range of security needs, from image scanning to runtime protection.
• Advantages:
• End-to-end security solution for containers, serverless, and Kubernetes
• Strong runtime protection capabilities
• Real-time threat detection and anomaly monitoring
• Integrates with CI/CD pipelines and multiple cloud platforms
• Why It Might Be Better:
• Aqua’s depth in cloud-native security, especially its real-time threat detection and runtime protection, makes it a more powerful solution for cloud-native environments compared to Snyk, which is more focused on scanning and remediation during the development phase.

Conclusion

Snyk is a powerful tool, but these alternatives may offer better solutions depending on your specific needs. Aikido provides superior value for money with an all-in-one platform, Dependabot excels at GitHub integration and automation, SonarQube enhances code quality while ensuring security, Clair specializes in container security, and Aqua Security delivers comprehensive cloud-native security. Ultimately, the best tool for your organization will depend on your existing workflows, the complexity of your infrastructure, and the specific challenges you’re trying to solve.

We’re stoked to announce our new partnership with Laravel, the PHP framework for web developers artisans.

TL;DR Laravel helps PHP developers create their best work, now Aikido helps to secure it. 🤝

Laravel is a premier PHP framework and loved by hundreds of thousands of developers worldwide. In fact over 30% of our Aikido user base already leverages Laravel.

As of today, we are Laravel’s preferred AppSec provider. Developers building with Laravel can directly secure their new or existing Forge apps within a few clicks – powered by Aikido.

This integration is designed to help PHP developers get security done. Laravel users get an instant overview of all code and cloud security issues - aggressively auto-triaged - to see what matters and how to fix it. So they can get back to building.

Secure your PHP apps from Day 0

Laravel equips PHP developers with the most advanced tools to create exceptional applications. Laravel does so via a growing suite of standout products like Forge, their premier service to help PHP developers manage servers for their applications. Forge powers over 600k PHP applications.

When it comes to creating exceptional applications, building them is just one part. Keeping them safe is another.

Until now.

From within the Forge UI, developers new to Aikido can set up a workspace and connect their repositories. Once connected, users receive auto-triaged and prioritized security issues, complete with estimated resolution time and full context, across all their PHP applications. Right where they manage them in Forge.

Due to our signature auto-triaging (delivering 85% less false positives!) developers will see what really matters and step-by-step guidance to fix critical issues fast.

All-you-can-eat AppSec for PHP devs

We know, security can suck. And it only gets harder as you grow. Increasing regulatory pressure, new compliance schemes, tedious security questionnaires from upmarket customers, … the list goes on.

Sooo we think this is a pretty big deal— if you’re building a new Laravel app today, you’ll have AppSec sorted asap. If you already have Laravel apps in production, your path to solving critical security vulnerabilities goes from hours or days to minutes.

In the long run, 600k+ devs using Forge will have continuous AppSec at their back. Starting with instant feedback on any new security issue introduced via pull request to malware scanning, and more. They can add additional cloud providers, containers, and domains to fully take advantage of our ‘all you can eat’ security.

Laravel developers can also leverage the new integration to breeze through the increasing regulations and compliance requirements coming their way; By making use of ready-to-go compliance reports and automating technical controls to achieve SOC2, ISO 27001, HIPAA, and more.

How does the Aikido-Laravel integration work?

• When inside Forge, hop over to “Account Settings” or a Forge site. Here you can find the new Aikido integration in the sidebar;
• From there, click the Connect Aikido Workspace button;
• We'll ask you to create an Aikido account for free. Or log into your existing account through GitHub, GitLab, Bitbucket, and other Git providers;
• Give Aikido authorization to the repositories relevant to this site and production environment. And we will get to work with our famously fast scanning;
• You’ll get your first results in less than 60 seconds. ⚡

You can then head back into Forge to see which issues Aikido has found — complete with prioritization based on the impact on your app and the severity of the vulnerability itself, and more.

From there, you can always click the Go to Aikido button from any site, or your account preferences, to access all your new Aikido workspaces.

For complete details on how it works, check out the docs.

More of a visual learner? Check out this video walkthrough straight from the folks at Laravel.

What’s next?

We’re stoked to join forces with Laravel and the talented folks behind it. Together, developers can spend less time sweating security, and more time building exceptional applications. Definitely check out Forge, if you haven’t already.

You can connect your Laravel and Aikido accounts starting today. Once you’ve solved your first critical vulnerability, let us know on LinkedIn or X how we could make your AppSec experience even simpler and speedier.

A critical exploit just hit the scene, targeting cdn.polyfill.io, a popular domain for polyfills. Over 110,000 websites have been compromised by this supply chain attack, which embeds malware into JavaScript assets.

TL;DR

If your website uses http://polyfill.io/, remove it IMMEDIATELY.

Who does this supply chain attack affect?

The cdn.polyfill.io domain has been hijacked to serve malicious scripts. This means any site relying on this domain for polyfills—a method of adding new functionality to older browsers, like modern JavaScript functions—is at risk. Security researchers at Sansec were the first to identify the many instances of malware payloads, which included redirecting mobile users to a sports betting site,

This supply chain attack can compromise your users' data and the integrity of your applications, and even includes built-in protection against reverse engineering and other clever tricks to prevent you from observing how it affects your end users.

Aikido's Research Team continuously adds new advisories for dependencies which use pollyfill[.]io under the hood, which would leave your applications vulnerable to the supply chain attack. Some notable dependencies include:

• albertcht/invisible-recaptcha (Over 1m installs)
• psgganesh/anchor
• polyfill-io-loader

Since details about the attack were publicly released, Namecheap put the domain name on hold, preventing any requests to the polyfill malware. While that does prevent the spread of malware in the short term, you should still continue with a proper remediation.

How can you fix this vulnerability?

Scan your code now. Aikido’s SAST feature scans your codebase for any instances of cdn.polyfill.io.

Create an Aikido account to get your code scanned

Any findings around this Polyfill supply chain attack will jump to the top, as they have a critical 100 score. Make sure to remove all detected instances of polyfills immediately to prevent yourself and users from this critical supply chain attack.

The good news is that according to the original author, you can likely remove cdn.polyfill.io, or any of the affected dependency packages, without affecting the end-user experience of your application.

No website today requires any of the polyfills in the http://polyfill.io library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.

If you do require Polyfill capabilities, you can tap into recently-deployed alternatives from Fastly or Cloudflare.

According to IBM & Ponemon, the average cost of a data breach is a staggering $4.35 million! No wonder companies feel the need to invest heavily in cybersecurity. For legal tech companies, handling a large amount of sensitive client data daily, the stakes are even higher. Beyond the immediate financial impact, a data breach can cause severe reputational damage that is often much harder to repair, making cybersecurity a top priority for legal professionals. As the digital world evolves, strategies for protecting sensitive information must also adapt to increasingly sophisticated threats.

ELTA, the European Legal Tech Association, gathered some of today's leading cybersecurity experts in a digital meeting room. Roeland Delrue, Co-Founder & CRO at Aikido Security, Aidas Kavalis, Co-Founder & Head of Product at Amberlo, Wouter Van Respaille, Co-Founder & CTO at Henchman and Michiel Denis, Head of Growth at Henchman share their expertise and insights on how to install a solid cybersecurity framework for LegalTech companies.

The Growing Importance of Cybersecurity

What are the foundational cybersecurity standards every legaltech application should meet, and how have these standards evolved with emerging threats? Roeland Delrue, Co-founder & CRO at Aikido Security, emphasizes that developing a secure legaltech application starts with the code.

1. Programmers are writing the app in code. The first layer of security is ensuring that the code itself is secure
2. Once the code is ready, it is typically shipped in containers - which represent the second layer that must be scanned and monitored.
3. The third layer is the cloud environment where the application is deployed.

Followed by the fourth layer, the domains (login.com or app.com) through which users access the application.

Compliance and Continuous Monitoring

Wouter Van Respaille, Co-Founder and CTO at Henchman, stressed the importance of compliance with industry standards such as ISO 27001 and SOC 2. These certifications are not just checkboxes; they are indicators that a vendor is serious about security. He noted that companies without these certifications might lack the necessary resources or commitment to security.

Beyond compliance, continuous monitoring and creative approaches like bug bounty programs are crucial. These programs involve ethical hackers who continually test the system, providing an additional layer of security beyond traditional scanning tools. Van Respaille shares their approach at Henchman: “Aikido continuously scans both our infrastructure and our code. Additionally, we use Intigriti for bug bounty hunting, which involves a collective of social hackers creatively probing and exploring our systems. Compared to traditional scanning tools, this approach is far more innovative. We also use Phished to send phishing simulations to all our employees, raising awareness of phishing and security while adding a touch of gamification. As a company handling a never-ending stream of sensitive data, it's important to have these partnerships rather than doing everything ourselves."

Because cybersecurity is a complex matter, Aidas Kavalis, co-founder and head of product at Amberlo, points out that it's wise to bring in a third party to evaluate vendors. "An expert in the field can help you discover things you'd never have thought of. Even if an ISO27001 or SOC 2 standard is implemented, how can you be sure that the certificate matches reality? A professional helps to ask the right questions and ensure that the right things are checked up front.”

Legal data is highly sensitive and valuable

The panelists agree that legaltech applications face unique cybersecurity challenges compared to other web applications, being a top target for hackers together with financial institutions. Legal data, much like financial data, is highly sensitive and valuable. "The difference is that financial institutions handle money, while law firms manage client information, which can sometimes cause more harm if breached. Recently, there have been several attacks where law firms were hacked, leading to individual targeting of their clients. Therefore, I believe law firms are definitely among the highest-risk sectors," says Kavalis.

Delrue urges to be mindful of the value of the data you handle, as it impacts the level of security required: "For instance, there's a significant difference between a legaltech vendor that only reviews contracts without storing them and one that holds numerous clients' actual contracts. The more sensitive data you hold, the more attractive a target you become to hackers, who aim to extort money through ransomware or by selling the data. Therefore, whether you are a legaltech vendor or consumer, you should assess the sensitivity and value of your data to potential malicious actors. If your data is highly valuable, it is crucial to implement more rigorous cybersecurity measures than the average company."

Evaluating LegalTech Security

When evaluating the security of legaltech products, law firms should also consider the sensitivity and volume of the data they handle and ensure that the applications have the necessary security measures in place.

As a legaltech provider, Kavalis is asked for three things by his customers:

1. ISO or SOC 2 certifications, along with GDPR compliance questionnaires.
2. External cybersecurity assessment: Larger law firms often ask for tech sessions, where they bring in external experts to dig deep into Amberlo to see if it has adequate technology and policies in place.
3. And from time to time, a history of security incidents. “Fortunately, we haven't experienced any major security incidents so far, which I consider a significant achievement. Since we launched Amberlo in 2017, we have seen daily attempts to break into our systems from some well-known hacker locations,” says Kavalis.

An easy thing to check is whether a company is ISO 27001- or SOC 2-compliant. However, Delrue stresses the importance of understanding what these certifications entail. Delrue sees ISO27001 or SOC 2 as a shortcut to filling out a lengthy security questionnaire, where ⅔ of boxes can be checked off automatically. However, some things are not covered by certifications, such as malware scanning which is not covered by SOC2, for example. So in some cases, standard ISO certifications might not cut it and you might want to add some deeper questions.

On-premise vs hosted in the cloud?

With the rapid advancements brought by GPT and other AI technologies, evaluating technology in law firms has become increasingly crucial. However, there has always been an on-premises vs. cloud hosting debate. Let’s have a look at what this means first:

• On-premise software: customers have the servers physically and host their applications there
• The private cloud: customers adopt Microsoft Azure, the Google Cloud Platform or AWS where they run all the applications inside of their network
• The cloud: applications run fully on the cloud and then the customers adapt that technology

"I don't want to get hit by a car, so I'll just stay home forever. Or I could actually go somewhere, and when I cross the street, I look left and right first to make sure I’m safe.”

Van Respaille uses this analogy to compare on-premises to the cloud. In his view, staying on-premise is outdated. "It means you will be excluded from a lot of innovation. My advice to all law firms is to fully embrace the cloud but approach it thoughtfully. Be aware that there are security checklists available. These don't need to be overly complex or resource-intensive; a basic questionnaire can suffice for evaluating the tools you wish to adopt. This approach creates an initial layer of security, giving you a clear understanding of what you're actually purchasing. In summary, 'Go full cloud, but know which tools you are going to adopt!'"

If certain standards are met, Delrue sees on-premise as a legitimate option: "If you have a top-notch on-prem program with dedicated security people who know how to manage that on-prem, then it's definitely a viable option." However, he believes that high-quality on-prem security is rare. "If you're dealing with very highly professional cloud providers and you don't have the in-house resources to manage your on-prem, it's probably safer to go with the cloud version because there are a lot of security risks on-prem." So basically, it’s a risk assessment: where do you want the risk to be, and who do you want to manage that risk?

"Very often, on-premise becomes a single point of failure," Adias adds. "If one perimeter is breached, it often means that all the other systems are also quite easily accessible. I have rarely seen a layered approach to on-prem cybersecurity, where each application is isolated in a separate security zone."

From ideation to deployment

Of course, legaltech vendors should integrate security standards and measures from the start, even before the product has been built.

"It starts with the software developer's laptop. The developer writes code, and that's where you can do the first check. That's what Aikido does," says Delrue. "Whether it's code, containers, cloud, domain, in every part of the development lifecycle, Aikido can do security checks." Being too strict, however, can slow down the development process tremendously. That's why Delrue advises using the risk categorization of vulnerabilities & security issues (low, medium, high, critical) smartly. "If you start blocking them at medium, you're going to slow down development: they're going to be stopped at every step they take because of some security check that needs to be fixed. Sometimes it's a little easier to only block the ‘critical issues’ and then maybe fix the ‘highs’ later in a focused moment.”

Throughout the whole development lifecycle, you can perform different checks to have a proper security posture. In the world of security products, this is referred to as ‘shifting left’. "This means catching someone earlier in the cycle, which makes it easier to fix than when it's already live with a customer. Because at that point the damage is done." Delrue says.

In an age where data breaches can cost millions and reputations hang by a thread, it's clear that cybersecurity is no longer an option for legaltech companies, it's a necessity. So whether you're debating cloud vs. on-premises or evaluating a new tech solution, remember: in the digital age, the only thing more expensive than investing in cybersecurity is not investing in it.