Welcome to our blog.

Why are you here?

Let’s not waste time. You’re here because you’re building a webhook feature in your app. Unfortunately, there are quite a few things that can go wrong from a security perspective. This article aims to ensure that you’re not making any well-known mistakes while building webhooks.

How do webhooks work?

As a quick recap, webhooks are HTTP(S) requests to third parties to inform them about something that happened in your app. For example, if you offer an application that generates invoices, you might offer your customers the opportunity to set up webhook functionality that is triggered when a new invoice is created. This means that when the invoice is created, your application will send a HTTP(S) request to a location that is determined by the user. The user can use this to set up their own custom workflows that are triggered by the webhook, such as scheduling reminder emails, or sending the customer a message on Slack.

Checklist: securing webhook implementations

1. Defeating SSRF-type attacks

In this type of attack, the attacker tries to get information (e.g. instance metadata in a cloud) by exploiting the webhook feature. To counter it, you should take the following measures.

✅ Validate user input

• Basic: Perform simple URL validation.
• Better: Ensure URL starts with "https://", disallow "file://" and other non-HTTPS schemes.

✅ Restrict Local Addresses

• Block typical local IPs: 127.0.x, 192.168.x, 172.x.
• Prohibit "localhost" and "http://"

✅ Limit Log Exposure

• Show only HTTP status codes in user-facing logs.
• Avoid displaying headers or body content.

✅ Advanced: Enhanced URL Validation

• Require a specific response header for POST requests, unique to the customer.
• Maintain this verification continuously, even after initial setup, to counter DNS changes..

2. Allow your users to verify data authenticity

Your webhook consumer must have a way to know the data really comes from your app. You can use any of the following methods.

✅ Test Message Verification

First, enable users to trigger a test message to test security mechanisms.

✅ HMAC Verification Hash

One of the most effective security mechanisms for webhooks functionalities is implementing HMAC for data integrity and authenticity.

The basic process can be summarized as follows:

• Generate a hash of the payload using SHA-256 and a secret key.
• Send the HMAC with the payload.
• Recipients recreate the hash to verify payload authenticity and integrity.

✅ Timestamp Inclusion

This is more of an advanced security mitigation. Add a timestamp to the payload to prevent replay attacks. Ensures messages are not reused or altered.

✅ Client-Side TLS Certificates

Authenticate HTTP calls with client-side TLS certificates. This is particularly appealing for enterprise-level consumers.

3. Rate limit and avoid data overexposure

For webhook security, sending too little data is more secure than attaching too much. Although webhook callbacks should be encrypted using HTTPS, you can never know who might be in control of a domain name after a few years.

✅ Minimize Data Exposure

• Avoid sending Personally Identifiable Information (PII) or sensitive data.
• Instead of sending multiple data points (like contact_id, email, name), just send the contact_id. Let users fetch additional data through your public API if needed.

✅ Retry Policy Communication

• Clearly communicate the retry policy and rate limits to users.
• Inform them that due to retries, messages may arrive out of order.
• Define that any 2xx response is a success; other responses should trigger a retry.

✅ Use a Queue System for Delivery

Implement a queue system to manage webhook delivery and throttle output. This approach helps prevent accidentally overwhelming your users' servers in edge cases, like a large CSV import triggering excessive webhook calls and retries.

4. Bonus: Anomaly alerting

This is more for developer convenience than security, but it's a good thing to implement nonetheless.

• Alert users when 4xx and 5xx responses are encountered
• Send notifications to inform users of any failures

This addition enhances transparency and responsiveness in your webhook system.

Conclusion

And there you have it! We've covered some steps to make your webhooks not just functional, but also secure and user-friendly. Implementing these steps will safeguard your app and also enhance the overall user experience. Happy coding! 🚀🔒👨‍💻

Aikido Security is a developer-centric software security platform. We help keep your product secure, so that you can focus on writing code. You don’t need to talk to a sales team - just connect your GitHub, GitLab, Bitbucket or Azure DevOps account to start scanning your repos for free.

Most security tools waste developers’ time. We’re on a mission to fix this.

Application Developers aren't paid to care about security. Their performance is measured by the speed at which they can add value to the business through new features or enhancements.

This makes traditional security tools a hindrance as they're not built for developers — plus, they're not designed to be helpful. Their job is simply to show a massive list of security alerts, leaving it to the developer to figure out the rest.

At Aikido, our mission is to make securing applications as quick and painless as possible, and one of the most important ways we do this is by reducing the noise and false positives that waste developers' time and cause delays in shipping security fixes.

This post will show you what Aikido does to offer a cure for Developers suffering from Alert Fatigue Syndrome.

Reducing the Noise

In his famous song, "The Gambler," Kenny Rogers captured it pretty well:

“the secret to survivin', Is knowin' what to throw away and knowin’ what to keep.”

The most significant impact you can have on the signal-to-noise ratio is only showing developers the CVEs and security alerts they should take action on and ignoring the rest.

Here’s how Aikido intelligently ignores irrelevant security alerts and CVEs:

Development-Only Dependencies

By default, Aikido will not report vulnerabilities for dependencies marked only for installation in development environments, as they should not be present in staging or production environments.

Invalid CVEs or CVEs Without a Fix

Showing a CVE without a fix is just a distraction. Hence, Aikido temporarily moves these to a list of ignored issues until a fix becomes available before surfacing in the dashboard.

Unreachable Code

Aikido's code intelligence and reachability engine will ignore a CVE if a vulnerable function is not called in the code base.

This decreases the noise, especially for large libraries with many dependencies, such as TensorFlow.

Expired or Revoked Secrets

Aikido will ignore secrets that have been verified as expired or revoked, or appear to be variables. Aikido safely verifies the validity of known secret types by sending a request to an API endpoint requiring authorization that doesn't produce sensitive data.

Manual Ignore Rules

You can configure Aikido to ignore vulnerabilities under certain conditions, e.g. ignore reporting for specific paths in a repository.

Deduplication

Because most companies piece together their security infrastructure from several different sources, it's common for multiple systems to surface the same alert or CVE — plus, it’s common for traditional tools to surface the same CVE multiple times within a single repository. Talk about noise!

Because Aikido is an all-in-one platform offering you a single pane of glass across all security issues, you'll only see a single CVE alert for each repository with sub-issues listing the location of each vulnerability.

Boosting the Signal with Contextual Sensitivity Tuning

A security issue discovered in a repository handling sensitive data should be scored differently from an internal-only repository that doesn’t persist data at all.

Aikido provides various contextual indicators for every repository, helping uncover more security risks and appropriately weighting an issue's final severity score.

For example, by adding a domain name, Aikido can perform targeted scans for issues such as SSL vulnerabilities, cookie misconfigurations, if a CSP has been applied, and cross-site scripting (XSS) attacks.

Additional contextual examples include whether the application has internet access and which environments the application is deployed in.

Boosting the Signal for Exploitation Risk

Aikido uses real-time indicators to track the probability of a CVE being exploited in the wild, such as confirmed cases of exploitation, public code documenting how to perform the exploit, and any customer-specific cloud infrastructure concerns which may make them particularly vulnerable.

And because Aikido monitors both your code and cloud infrastructure, it can boost the severity of "toxic combination" issues arising from specific conditions under which your application is hosted, e.g. AWS instances using IMDS API version 1 are more vulnerable to SSRF exploits which can expose AWS Credentials.

Summary

Traditional security tools don't care about developer productivity. They're more than happy to bury a repository in a pile of false positives, wasting developers time that could've been better spent actually resolving security issues.

What makes Aikido different, is that we see the link between developer productivity and security. By removing irrelevant alerts and CVEs, genuine threats get more attention, and as a result, fixes get applied faster.

This win-win for developers and security is what we're all about and is how we're curing Security Alert Fatigue Syndrome for our customers.

Want to see it in action? Sign up to scan your first repos & get your first results in less than 2 minutes.

This is a question we get a lot from our customers. The NIS2 Directive’s wording is not always very explicit. NIS2 is a framework that countries need to implement. Because it’s a Directive and not a Regulation, each EU country has the autonomy to roll it out under their own interpretation.

NIS2’s language is broad, making it challenging to get your head around, especially until countries publish their specifics. But, we will answer as clearly as possible which companies NIS2 currently affects.

Aikido’s quick NIS2 self-check to see if you’re in scope

We like things to be practical and straightforward. So, to help make it easier, here’s our quick 5-step self-check to see if you’re in NIS2 scope:

1. Is your company working in an ‘essential’ or ‘important’ industry?
2. Check if you’re part of a sub-industry.
3. Do you fall within the size requirements?
4. If ‘no’ to 1, 2, and 3, double-check that you’re not an exception (pro tip: you may need to seek legal counsel to be on the safe side).
5. And, if ‘no’ to all of the above, check if your customers are or are not in scope.

Who does NIS2 apply to?

There are two key parameters to check to see if NIS2 impacts your company:

• Industry: If you’re part of an industry that is ‘essential’ or ‘important’.
• Size: If the size of your company meets certain ‘essential’ or ‘important’ thresholds, i.e. above X # of employees, €X revenue, or €X balance sheet.

Let’s look at both in more depth.

Which sectors does NIS2 apply to?

It all starts here. NIS2 is all about getting essential and important industries to be secure. NIS2 expands the number of industries that were the focus of the first NIS Directive. It differentiates between essential and important, but both categories are included in its scope.

Essential industries: energy, drinking water, wastewater, transportation, banking, financial markets, ICT service management, public administration, healthcare, and space.

Important industries: postal and courier services, waste management, chemicals, food, manufacturing (e.g. medical devices, computers/electronics, machinery/equipment, motor vehicles, trailers/semi-trailers/other transport equipment), digital providers (e.g. online marketplaces), and research organizations.

Some sectors are instantly in scope, no matter what. Some examples include domain name registrars, trust service providers, DNS service providers, TLD name registries, and telecom providers.

Beyond that, national authorities will have the power to designate individual companies that do not fall neatly into the essential or important sector categories. They can do this if they deem the company to provide a sole service, have a significant impact, and/or be essential to society.

NIS2 company size criteria

NIS2 has size cap rules. This means you’ll need to comply with the Directive if you cross certain thresholds.

What are essential and important companies for the size criteria?

• Essential companies: 250+ employees OR €50m+ annual turnover OR €43m+ balance sheet
  Note: An essential company that does not meet the essential size thresholds (above) but still meets the important companies size thresholds (below) is considered an important company. And, therefore still in scope.
• Important companies: 50+ employees OR €10m+ annual turnover OR €10m+ balance sheet

So, on the surface, NIS2 applies to medium enterprises and large corporations. And, leaves out small and micro enterprises. But, there will be exceptions. For example, if a company doesn’t meet the size thresholds, a national authority can exert its designation prerogative as with the sector criteria.

How do I know which country has jurisdiction over my business?

The European Commission says: ‘As a rule, essential and important entities are deemed to be under the jurisdiction of the Member State where they are established. If the entity is established in more than one Member State, it should fall under the jurisdiction of each of these Member States.’

There are exceptions. In some cases, that means considering where the company provides the service  (e.g. DNS service providers). In other cases, the key is where their main establishment is (e.g. cloud computing service providers).

Are there other exceptions to the rules?

Of course, there are some related to the industry and size rules. On top of that, as countries implement the directive, there will be country-to-country differences to pay attention to as the localized rules come into effect (all by October 17, 2024).

For example, if you don’t meet the size requirements BUT are the sole provider of a critical service for societal or economic activity in a member state, you may still need to implement NIS2.

Note: If you’re active in the finance industry, you’re probably already familiar with the Digital Operational Resilience Act (DORA). DORA is a piece of legislation – not a directive like NIS2 – so it takes precedence over NIS2. We recommend focusing your efforts there first but make sure you check in when NIS2 is transposed into local law by your EU member state.

Don’t forget about the Cyber Resilience Act (CRA) as well. CRA sets out cybersecurity requirements for a range of hardware and software products placed on the EU market. These include smart speakers, games, operating systems, etc.

Are you looking for a bit more detail?

Here’s a great overview of who’s in scope, developed by the Centre for Cyber Security Belgium:

If your customers are in-scope, NIS2 will likely impact you

Did you know that NIS2 includes the third-party knock-on effect? That means even if you’re not directly in scope but your customers are, you will likely need to comply with NIS2.

Companies that must implement NIS2 will need to ‘manage and assess the risks’ associated with their ‘third-party providers’. This includes, for example, conducting regular security assessments, ensuring that you have adequate cybersecurity measures in place, and implementing contracts/agreements that require you to comply with NIS2 requirements.

So, if you’re a B2B company and you thought you were out of scope because of sector and size, but your customers are in NIS2’s scope, you should start preparing!

Aikido provides NIS2 report

Aikido Security has created a NIS2 report feature available in our app. We’ve designed this report to help companies who need to comply with the directive.

Are you likely affected by NIS2?
Find out where you stand with your application on NIS2.
Although our report is not exhaustive (and only covers your technical setup) , it’ll get you on started and on the right track.

Register for Aikido and get your NIS2 report for free!

Aikido has just gone through the process of becoming ISO 27001:2022 and SOC 2 Type 2 compliant. And one of the things we wish we’d had was some practical, no-nonsense advice on how to get started. Best practices, things to watch out for - basically tips from someone who’d already been through the ISO 27001 certification process.

Read more about Aikido’s path to becoming ISO 27001:2022 compliant and the ISO 27001 requirements.

That’s why we’ve written this blog post: to help anyone at a SaaS company looking at becoming ISO:27001 compliant.

8 things we learned during the ISO 27001 certification process

1. Know what you’re getting into

If you’ve never done this before, the first thing to do is ask your friends and business acquaintances. You’ll probably find someone who has gone through the process, so hit them up and get advice.

If you really can’t find anyone, you can make contact with a pre-auditor. Just be aware that they will understandably try to sell you services.

Either way, it really helps to get a good sense of how it all works. This will save you time in the end and help you get your ISO 27001 certificate faster.

2. Communicate that you’re working on implementing ISO 27001

People appreciate it when you mention you’re in the process of implementing ISO 27001. They’ll be eager to know that there will be less for them to worry about in the near future. And that will in turn help your sales and conversions. So mention this on your website, in sales conversations, on LinkedIn, and more. Let your users know that you’re making your product more compliant.

3. Decide which ISO 27001 standard to implement (2013, 2017, or 2022)

2022 has way more controls regarding secure coding and software security. (e.g. detection of malware is a new control). This means it involves more work to implement than an older version. If you go for one of the newer standards, it will require more controls, but you’ll already be prepared for the future. So it’s probably better to go for the 2022 version.

Quick tip: ISO 27001 certification needs a full audit every three years. That means that it’s best not to go for ISO 27001:2013, as it’s only valid for another two years.

Each version of the ISO 27001 standard also frames the risk management process differently. The 2022 version includes updated certification requirements that reflect evolving cybersecurity risks. That makes it important for companies to have a robust risk management process in place to identify, assess, and mitigate these risks.

Note that, if you’re a big, mature company, you might prefer to go for the 2017 version, as it’s more established and might lead to less disruption in your existing processes.

4. Don’t outsource everything

It’s risky to outsource the whole process... Even though it’s possible to outsource the whole process to a consultancy, I would advise against this. Sure, a consultant can definitely help, provide templates, and that kind of thing. But if you outsource everything and you encounter a problem, you need to know how to handle it. My advice is to have at least two, and up to four, people from the company involved.

Quick tip: Remember that the final audit must be carried out by an accredited certification body!

5. Get a pentest that makes sense for your company

If you’re a software company, you should choose a pentester to focus on things that are not covered by automated tooling like OWASP ZAP. Go for pentesters with bug bounty hunter experience, rather than “old-school” pentesters.

6. Leverage compliance standards and accelerate

Already being SOC2 compliant makes it faster to become ISO compliant. And it’s good to know that, if you’re ISO compliant, NIS2 (a new regulation applicable in the EU) will be easier.

Quick tip: Double-check that your auditor has been audited (it’s a requirement). Don’t settle for someone without the right credentials or you might get duped.

7. Realise that nobody’s perfect

The eventual audit will always find non-conformities and it’s OK to be imperfect. But you have to know about those imperfections and make sure you have a formal action plan to resolve the issues.  It’s a continual improvement process that will ultimately lead to better security throughout your company. Sure, you might never attain “perfection” but you should do your best to get there!

8. Start early with implementing tools that cover ISO controls

If you’re considering going for ISO compliance, it’s always a good idea to do a trial run of the tooling that will help you cover certain controls (and also produce the evidence you need).

For example, ISO requires you to implement some processes regarding people. for instance, onboarding, offboarding, background checks, assigning and retrieving of company assets. Having these processes implemented in a human resources information system (HRIS) such as Officient, Personio, or Workday, will help you hit the ground running the moment you need to produce your evidence for ISO.

It’s the same thing with Aikido, which already performs checks on 22 controls and generates a comprehensive ISO 27001 report. It’s another great example of getting a head start on preparing for your ISO.

ISO 27001:2022 technical vulnerability management

On your own path to ISO 27001:2022 certification? Our platform, Aikido Security fulfills all technical vulnerability management needs for ISO 27001:2022 applications. We’ve also decided to partner up with Compliance Monitoring Platforms (like Vanta or Drata) to easily sync the data & ensure that your vulnerability information is always up to date. This helps you easily stay on top of your security posture.

Request our report

Feel free to request our own ISO 27001:2022 certificate directly on our security overview page. We’re more than happy to share the fruits of our hard work! 😉

I hope this blog post is helpful to you. I certainly wish I knew all of these tips when we started the process. If you’re exploring ISO certification, connect with me on LinkedIn and I’ll be glad to share my insights!

An IT match made in… Belgium! Aikido Security, a SaaS startup from Ghent, will provide application security to The Cronos Group, an e-business integrator headquartered in Kontich, with over 5,000 clients across their 570+ companies in the Benelux region. This strategic partnership is set to fortify The Cronos Group’s security posture and Aikido Security’s influence in the cybersecurity industry.

Stronger security posture with Aikido

The Cronos Group is now a new Aikido client. In this context, The Cronos Group is in the process of implementing Aikido’s security solutions across many of its software development companies. Why is this useful for The Cronos Group? Not only does it help establish a stronger security posture for each company in its network, but it also creates another great advantage. Aikido pulls it all together for Cronos, which will gain a more insightful and standardized global overview of the security posture of these companies than ever before.

Beyond that, Aikido entrusts The Cronos Group to become a true partner as well. In this context, Cronos will be able to provide Aikido to its customers so they, too, have the opportunity to benefit from Aikido’s services. On top of that, Cronos and Aikido actively work together to further improve the product features.

Aikido’s unique set of security tools and ability to reduce false positives will deliver efficiency to the development teams in The Cronos Group’s network of companies and customers. This means less disruption from unnecessary alerts leading to more focus on writing code. The Cronos Group aims to help companies find creative, high-quality, and profitable ways to make the most of potential new technologies. Therefore, this partnership aligns perfectly with its mission.

Aikido pulls it all together in a dedicated “Security Partner Portal”. Through this partner portal, The Cronos Group is able to gain a more insightful and standardized global overview of the security posture of their companies than ever before.

The Cronos Group and Aikido comment on their partnership

The Cronos Group can’t wait to get started with Aikido.

The Cronos Group has always been supporting innovation and entrepreneurship, including cyber security. We’re always on the lookout for partners to strengthen our alliances. Through Aikido, we want to enable our developers and clients to build in security from the first line of code. By combining automation with intelligence, they can focus on the business value while safeguarding their own scarce time and keeping the exposure to a minimum.
Jonas Buyle, Cronos Security

Meanwhile, what benefits does this new partnership bring to Aikido? "We're thrilled to welcome The Cronos Group to the Aikido Security family,” explains Aikido cofounder and CEO, Willem Delbare. “As both a customer and a reseller, The Cronos Group represents a key partnership in our mission to make managing your security posture simple. Our collaboration promises to provide unparalleled insights into the security posture of the portfolio of companies within The Cronos Group. Together, we aspire to elevate the standards of application security across the board."

About Aikido Security

Aikido Security is a developer-first software security platform. We scan your source code & cloud to show you which vulnerabilities are actually important to solve. Triaging is sped up by massively reducing false positives and making CVEs human-readable. Aikido makes it simple to strengthen your security posture to keep your product secure. And, it gives you back time to do what you do best: writing code.

About The Cronos Group

The Cronos Group is an e-business integrator delivering high-quality ICT solutions to enterprises and government entities in the Benelux region. The Cronos Group was founded by and for ICT technologists with the goal of helping them grow their careers and entrepreneurship. This mission expanded to include creative professionals in order to jointly design and implement creative and technologically leading solutions for its customers. Since its inception in 1991, The Cronos Group expanded from a one-person operation to a group of companies employing over 9000 professionals across 570+ companies.

It’s always great news when we hear about a customer’s delight when using Aikido Security. But, we don’t want to keep all the good stuff to ourselves! Let’s focus on Loctax, the first-ever collaborative tax governance platform for global in-house tax teams.

Loctax delivers its tax services to companies such as Wise, PedidosYa, Iba, Luxottica, and Trainline. For Loctax, it’s vitally important to go above and beyond to ensure the security and compliance of their environment and customer data.

Together, we improved their triaging speed by reducing false positives and irrelevant security alerts. But, we didn’t stop there. We also improved Loctax's security posture while it accelerated product development. Overall, the result has been saving valuable time and money. As Loctax reduces tax risk headaches for its customers, Aikido reduces security risks for Loctax.

The challenge: striking a balance between speed and security

Loctax faced a common dilemma. How could it balance rapid product development with uncompromising security? The pressure was on to deliver top-notch solutions for its customers. Meanwhile, Loctax also needed to safeguard sensitive tax data and stay compliant with the highest security standards. On top of that, they needed to do this with a small team while optimizing for cost.

However, Loctax encountered obstacles with its existing security solution. False positives were more abundant than snow in Alaska, consuming valuable time in triage and analysis work.

This is no surprise to us. In our recent consultations with SaaS CTOs, false positives ranked as the number two security flaw with their current security software choices. These CTOs also ranked eliminating false positives as the second most important activity to achieve strategic business outcomes. So it turns out that Loctax’s needs fit right in with what SaaS CTOs are telling us. And, let’s face it, false positives also desensitize you from looking at the things that really matter.

Meanwhile, overlapping findings from different tools created another roadblock on their path to being secure. The lack of tool integration made it challenging to get a central overview of real security priorities.

To top it all off, the subscription costs of the security solutions they were already using were surging due to rapid team growth. This fee-per-head pricing method was putting a strain on their security budget.

Put all this together, and it became clear to Loctax’s CTO and co-founder, Bart Van Remortele, that he needed to change the company’s approach. He decided to find new tools to combat these challenges and discovered Aikido Security.

Aikido Security delivers results for Loctax

Switching to Aikido Security’s product was a game-changing decision for Loctax and has brought many positive outcomes.

Auto Triage: the power of efficiency

Our auto triage feature emerged as a true black belt! It filtered out the noise and false positives that had been distracting. Not only that, but we also provide a custom vulnerability reachability engine. This checks if a vulnerable function is actually reachable.

With this pesky clutter cleared out and real vulnerabilities clearly identified and prioritized, Loctax's development team was able to become more efficient and productive. They boosted productivity by saving precious time that was previously lost to unnecessary investigations.

A unified dashboard: harmonizing security workflow

Aikido, the martial art, provides skills to defend yourself effectively while using the least amount of effort. Aikido Security applies this principle. For Loctax, we supplied a single dashboard that became the hub of security operations.

Integration into Loctax's existing tech stack was a breeze. Aikido offers a comprehensive view of all security issues without the headache of overlapping notifications. When critical security events arose, timely alerts popped into their relevant Slack channels. Therefore, with effortless integration into project management tools, Aikido smoothed out security task management.

Cost savings: 50%

Consolidating the security toolset proved to be a masterstroke. Consequently, Aikido Security's impact on Loctax's finances was significant. The result? A remarkable 50% reduction in security operations costs. Yes, you read that correctly - 50%! As Loctax's team continued to grow, its security expenses no longer created budget headaches. This left more resources for Loctax’s core mission: providing in-house tax teams with a new standard for tax management and operations.

Aikido Security helps defend your SaaS

Let’s be clear: there is pressure on SaaS companies to pursue first-class security, and Loctax is no different. But, it’s extremely hard for a team focused on developing a product to also manage the complexity of their whole security posture in-house. Our partnership with Loctax exemplifies the transformative power of Aikido Security for companies in this situation. Loctax can fully focus on collaborative tax management for in-house tax teams, and Aikido keeps it secure.

We have replaced our previous solution with Aikido due to its superior performance and effectiveness. - Bart Van Remortele, CTO and co-founder of Loctax

By embracing Aikido's solutions, Loctax optimized its security posture and eliminated false positives. This saved precious time and achieved remarkable cost efficiencies. Their development team's speed remained unshaken, and their security became stronger than ever.

Aikido Security helps defend your SaaS

Make your first tai-sabaki with Aikido by scanning your repos for free. In less than 2 minutes, you'll gain valuable insights into your security posture. Empower your organization, boost development, and embrace the peace of mind that comes with a solid security defense.

Download our Loctax customer case study.

‍