Published on: November 28, 2024
Ayush Trivedi, Co-founder and Director of AUDACIX, joined SafetyDetectives to discuss how his innovative product, Cyber Chief, is transforming application security for modern software teams. In this insightful interview, Ayush highlights the challenges of balancing growth with security, the critical role of automation and manual practices, and the importance of API and cloud security in today’s ever-evolving threat landscape. With a strong focus on fostering a culture of continuous improvement, Ayush shares actionable strategies to help organizations fortify their cybersecurity posture and protect their digital assets effectively.
Could you share the journey that led to the founding of Cyber Chief and your role as Co-founder & Director?
I’m the Co-founder and Director of AUDACIX.
At AUDACIX, we focus on two primary areas: test automation and application security. Our QSOME product is dedicated to functional testing, while our Cyber Chief product automates application security.
The idea for Cyber Chief came about during our manual penetration testing projects for customers. We realized that the reports we delivered became obsolete just days or weeks after submission. The pace at which our customers’ environments were evolving meant that issues we identified and fixed could easily reappear—or entirely new vulnerabilities could surface—shortly after the reports were finalized.
To address this, we recognized that a single, manual penetration test every six or twelve months was insufficient. What was needed was a more continuous approach to security testing, integrated into the Software Development Life Cycle (SDLC).
We experimented with various existing products and handed them over to our developers. Unfortunately, they disliked them all, as these tools didn’t seamlessly fit into a typical software development workflow. That’s when we decided to build Cyber Chief—a solution tailored to meet those exact needs.
What core vision drives Cyber Chief’s mission in the cybersecurity industry?
The core vision is that security should not just be a cost center; it should be a differentiator and a core selling point for any SaaS or software product. The days of relying on a single annual penetration test report are long gone. These days, if you’re in a sales process—and we know this from experience—if a customer has to ask you for proof of your product’s security, it’s probably already too late.
When customers ask about security, they likely have additional concerns they aren’t voicing. They may simply be going through the motions of the process. That’s where Cyber Chief comes in. Our product offers a solution to help developers automate security testing directly within their SDLC, reducing reliance on internal security teams or external consultants.
The ultimate goal is to ensure a strong and continuous security posture. This allows your sales team to confidently approach prospects and say, “We take security and your data seriously. Here’s proof of it. We’re prepared. Now, let’s focus on how our solution can help you.”
Too often, security is viewed solely as a cost center, leading to its neglect. That mindset can be a costly mistake, and it’s one we’re working to change.
Cyber Chief offers both automated and manual security testing. How do these two approaches complement each other?
Automation, in its current state—even with advancements in AI—is not yet capable of fully replacing human logic, creativity, and intuition when it comes to security. This is why we’ve developed a framework called the Modern Apps Paradigm (MAP). MAP outlines five essential ingredients for making security a selling point for your organization and software team, and one of those key elements is automation, or autonomous testing.
With automation, security testing can be seamlessly integrated into your functional testing pipeline. This allows for regular, automated checks as part of your software development lifecycle. However, to truly ensure comprehensive coverage, periodic manual assessments—like penetration tests—are also necessary.
The idea is that by conducting automated security tests regularly and promptly addressing the vulnerabilities they identify, you free up your manual testers to focus on higher-level concerns. Instead of spending time on trivial issues, they can concentrate on identifying complex vulnerabilities related to business logic and your specific application implementations.
As with anything in IT or software, success requires a combination of the right tools, robust processes, and skilled people. Automation and manual testing work together to create a balanced, effective security strategy.
In your experience, what are the most common vulnerabilities you see in web applications?
The most common vulnerabilities we encounter are often the simplest to fix, which makes them even more baffling. For instance, we offer a free tool on our website called the Express Header Scan. It scans the login page of a web application, evaluates its security configurations, and identifies whether key headers—seven or eight crucial ones—are missing.
Recently, we conducted an exercise with three Series A startups, analyzing roughly 2,500 web applications. Shockingly, over 60%—likely closer to 70%—were missing these fundamental security building blocks. This is despite many of these organizations having undergone manual penetration testing or using security tools during development.
The issue often comes down to a lack of understanding or prioritization. For example, implementing basics like X-Frame-Options or a Content Security Policy (CSP) only takes a developer two or three minutes. Once configured, these measures provide a robust foundation for securing web applications, APIs, and cloud infrastructure. Yet, far too often, these fundamental steps are overlooked.
Another area of concern is cloud security, especially in medium to large enterprises transitioning workloads from on-premises to the cloud. While many system integrators excel at setting up cloud environments, they often lack expertise in properly securing them. This gap is a persistent issue and poses a significant risk.
To address these challenges, we’ve integrated a Cloud Security Posture Management (CSPM) module into our Cyber Chief application. This makes it easier for organizations to identify and remediate these vulnerabilities. Over the coming months and years, I hope to see the industry improve in addressing these basic, yet critical, security areas.
What role does API security play in today’s cybersecurity landscape, and how does Cyber Chief ensure APIs are secure?
If you look back 5 or 10 years, the saying was, “Software runs everything.” Today, it’s more accurate to say, “APIs run everything.”
APIs are pivotal because they enable rapid development, which makes them cost-effective. They allow vastly different systems to communicate, making them indispensable for automated workflows and integrating digital systems with legacy infrastructure. However, their ease of development and deployment also introduces significant security challenges.
The biggest issue with APIs, particularly in medium to large organizations, is the sheer scale. It’s not uncommon for organizations to have thousands of API endpoints, and many still rely on developers to manually document these endpoints, often using manifests or Postman collections. This process is time-consuming and prone to inaccuracies.
For instance, a long-term customer of ours had been using the same list of API endpoints for manual penetration testing for 18 months. We quickly realized that their list was outdated and incomplete. When we pointed this out, they implemented Cyber Chief’s bot module, which automatically discovers API endpoints. It was a wake-up call for them, highlighting how crucial proper documentation is—not just for security but for operational efficiency as well.
Once documentation is in place, API security becomes an extension of your broader security practices. It’s about identifying vulnerabilities, patching them promptly, and running regular automated tests to ensure continued safety. Cyber Chief streamlines this process, making it easier for organizations to secure their APIs effectively.
What advice would you give to organizations looking to strengthen their cybersecurity posture?
That’s a broad question, so let me approach it from the perspective of the cohort we primarily work with: software teams. These are teams building great products, serving impressive customers, and growing fast, but they often face the challenge of balancing growth with investments in security.
For teams like these, the key lies in combining automation with the right processes to ensure that the automation is acted upon. As we discussed earlier, periodic manual intervention also plays a critical role in a strong security posture.
One of the biggest misconceptions is that to improve your security posture, you need an in-house security team. In 2024, that’s simply not true. Some of our top customers, who generate hundreds of millions or even billions of dollars in revenue, either have no dedicated in-house security team or operate with a minimal one. They’ve achieved this by laying the right foundations early: implementing automation from the start and fostering a strong security culture.
This means having security champions within your organization—team members who not only act on security information themselves but also guide others. It also means supporting development teams with resources and tools to patch vulnerabilities effectively, rather than leaving them to Google fixes or rely on trial and error.
I encourage organizations to explore the Modern AppSec Paradigm framework, which I’ve shared on my LinkedIn page. It outlines five key pillars to consider when building an application security system.
Finally, there’s the matter of cloud security. It’s crucial to understand that securing your cloud setup is your responsibility—not AWS’s, Azure’s, or Google Cloud’s. These providers give you the tools, but you need to put in the work to secure your environment. As workloads continue to shift to the cloud, this becomes even more critical.
Ultimately, security requires a mindset shift. There is no finish line; it’s about continuous improvement and doing more of the right things, more often. This way, when a breach inevitably happens—and it will—you can minimize the damage. A strong security posture ensures the impact on your company’s reputation, and on the individuals within your team, is as small as possible.