Follow us

The Curious Incident of the Dogfood Pen Test

CURIOUS INCIDENT

You’ve probably heard the expression “dogfooding” or to “eat your own dog food”. It’s certainly a memorable phrase… although if you think about it literally, it doesn’t really make a whole load of sense. Just because your company makes dog food, that doesn’t mean you, a human (presumably), should eat it. After all, dog food is made specifically for canine consumption.

Perhaps the expression should be amended to “your dog eats your own dog food”… but that’s just not as catchy. And there’s another issue with the amended version: it depends on the dog. Your dog eating your dog food is not necessarily an indicator of said dog food’s quality. Your dog might just be one of those dogs that eats… well… anything. Don’t worry if they are though, I’m sure they’re still a very good boy or girl. 

Hmmm. As usual with one of my blogs, I appear to have gotten distracted. And as usual, dogs are to blame. Now, where was I? Ah yes… “dogfooding”. 

Despite what I just wrote, I do agree that the idea behind “dogfooding” is sound. Your product or service should be good enough that you’d be happy to use it yourself. Otherwise, how can you truly believe in it? And if you don’t believe in it, how can you expect your customers to?  Eating your own dog food is a good test of where your product really is, and early on here at Akeero, we decided to get out the can opener and chow down… 

Now I’m sure you know this already, but Akeero is a SaaS platform that allows users to securely design cloud-native applications and infrastructure. We currently support AWS – though support for Azure and GCP are both on our product roadmap so watch this space! – and Akeero itself is built on AWS. So, in order to eat our own dog food, we decided to design Akeero… using Akeero.  

“Wait… what?!? How does that work?” I hear you ask, scepticism clear in your voice. And I understand, because on the surface it sounds like some Inception-level shenanigans. Let me explain…

A lot of the power behind Akeero lies in our threat analysis engine, which looks at AWS architectures and quickly identifies all of the potential threats, then suggests best practice mitigations to be implemented during development. It’s like taking the knowledge of the most reliable, consistent and experienced Security Architect and cascading it throughout your organisation.

Although the product has come a long way since we ate our own dog food, the fundamentals of our threat analysis engine were in place even then. We didn’t have the awesome drawing canvas, or the ability to import existing architectures in a few clicks, or… well, pretty much any of the great features and integrations that we have now, but we had our engine

So we designed Akeero, and we ran our design through the engine. The engine told us what to do in order to secure Akeero as we built it, and we did everything it told us to. 

I’m the CISO at Akeero, but before that I have held lots of different roles within the world of InfoSec. I have a lot of experience in penetration testing – both as a tester and as a client. Full disclosure: I LOVE pen testing. I call it the “sexy” side of security (without any hint of irony). I’ve seen hundreds of pen tests in my time, some good, some bad, some horrifying. The one kind of pen test I have never, ever seen is a clean pen test. 

After we built Akeero, we had an independent information security consultancy come in and perform penetration testing on the platform. They spent their contracted week probing and prodding, looking for gaps and vulnerabilities to exploit. Then they asked for a second week. They wouldn’t charge us anything extra, they said, they just wanted more time.

The second week came and went. We asked them for their report. They were hesitant. Eventually they handed it over, almost apologetic.  Their report showed just three findings. They felt bad, like they had failed us. They felt even worse when we explained that two of their findings had already been fixed in our development environment, and they’d run their pen test on production. The third finding was informational only, meaning it had the lowest risk severity.

It wasn’t entirely pristine, but it was by far the cleanest pen test I’ve ever seen. It was also validation for what we had been working so hard to achieve. We’d tried our own dogfood, and you know what? It tasted great!

Akeero’s goal is to help every team shift security left within their SDLC. Identifying threats during the design phase and building securely is the ONLY way that security can scale alongside the rest of your growing business.

If you’ve any feedback on this blog, or want to learn more about Akeero, please reach out to me – I’d love to hear from you.

Ready to jump onboard?

Akeero helps you design quickly and securely.