Tieto

Solution

To ensure that the company can identify and fix vulnerabilities in real time and get their applications into production faster, Tieto’s development teams moved away from a waterfall approach (where progress is seen as flowing through the software development lifecycle from design, development, testing, to production) and toward an agile, DevOps method. This switch allows teams to work on software in increments and perform rapid development ‘sprints’ with daily releases. With the DevOps approach, they embedded security into their process, so risks are minimized by reviewing flaws, bugs, and vulnerabilities in the development and testing lifecycle prior to release.

Automation has played a key role in enabling the process, code verification, and release into production. Tieto is a longtime partner of OpenText (formerly Micro Focus) and is currently a Tier 1 reseller. The firm uses OpenText™ Application Delivery Management (ADM) solutions to ensure quick time to market and quality applications across multiple technology platforms. When a representative suggested he look into Fortify on Demand by OpenText (formerly Micro Focus), Suro did not hesitate.

"We realized that it did not make sense for us to even consider an on premise solution,” says Suro. “We didn’t have the resources or experience to manage that type of system, so it made perfect sense to use Fortify on Demand in the cloud."

It’s not just another tool we’re buying. Fortify on Demand is a comprehensive application security solution.

Results

Fortify on Demand is an extension of Tieto’s security team and allows Tieto to perform fast and accurate assessments, identifying more than 750 vulnerability categories. There are no additional resources required, nothing to install or manage, and no esoteric expertise required. The solution also allows Tieto to test any thirdparty or open source software.

“Let’s just say the results from our initial scans were very revealing,” Suro notes. “In that sense, Fortify on Demand is already paying for itself.”

New revenue

Soon after Tieto began using Fortify on Demand for its own application security assessments, the firm introduced a new application testing service for its customers. Tieto Application Security Testing with Fortify on Demand is now available for static application security testing (SAST) and/or dynamic application security testing (DAST) in either one-time testing or continuous service for 12 months.

Tieto recommends that clients enroll in continuous service if they are working on a new application development project and intend to find new vulnerabilities during the development cycle, thereby avoiding costly corrections later. “Our customers are essentially in the same position we’re in, in many cases,” Suro says. “This service is a natural extension of the quality assurance work they have been doing. Our customers are seeing the increasing demand for mobile and web applications and this new service gives us a chance to help them take the next step. Yes, it’s a new revenue source for us, but more importantly it is a valuable service that can reduce the risk posed by application vulnerabilities.”

Service quality

Suro mentions that one of Tieto’s leading oil and gas customers was already using another application security testing solution and wanted to compare it with Fortify on Demand. The customer enrolled in Tieto’s new cloudbased testing service and discovered a significant difference in the quality of results.

“They found that Fortify on Demand was much better than the solution they had been using,” he notes. “Our customer works in a very sensitive industry and cannot afford to take any unnecessary risks when it comes to security. They appreciate the reporting and dashboards that Fortify on Demand provides. The recommendations are much clearer and developers are able to make fixes more easily when compared to the previous solution. Fortify on Demand directs them where to go in the code and confirms what needs to be analyzed. For instance, maybe you’re having a SQL injection vulnerability or cross-site scripting. Fortify on Demand is very clear about what to fix and provides you with best practices moving forward.”

Less vulnerable future

OpenText™ Fortify on Demand provides userfriendly dashboards and reports that make it easy for Tieto to manage its application portfolio and collaborate across distributed teams. Reports provide relevant metrics filtered by severity, vulnerability category, business unit, region, and other company data. Critical vulnerabilities are identified and prioritized, including the highest risk applications and trending history.

“Every person in the development process gets the information they need from this solution,” Suro emphasizes. “Fortify on Demand provides a five-star rating level for each application assessed, which allows our customers to compare applications and even compare service providers in some cases.”

He concludes, “We see a high demand for this service by both our own development groups and our external customers. We have the flexibility to assess any application, including in house, open source, mobile, web, or third-party applications. It’s not just another tool we’re buying. Fortify on Demand is a comprehensive application security solution.”

After we began using Fortify on Demand, we realized how much more accurate and better the results could be. The increased visibility we can provide to the many stakeholders involved with every application is a tremendous advantage.