Jair García Osorio, Chief Technology Security Officer for Coca-Cola FEMSA, provides some context to the role of the security department: “We are a centralized security division for the whole company, across all locations. Although security has always been important to us, a move towards cloud-hosting our own and our partner’s applications made us much more aware of potential security risks. Once the organization as a whole understood the serious consequences of a security breach with a cloud-hosted application, it became a priority to find a solution that could help us identify any potential application vulnerabilities.”
The team looked for a solution that could support the implementation of a comprehensive set of security guidelines for applications, both Coca-Cola FEMSA’s own and their partners, to adhere to.
Market research showed Micro Focus® Fortify on Demand to be a great option. This application security as a service integrates static, dynamic, and mobile application security testing with continuous application monitoring. Scalable for application growth, Fortify on Demand can be delivered in a flexible cloud or hybrid environment, to align with application demand.
Jair García Osorio comments: “We looked at alternatives but found it a real challenge to find a solution that identifies a wide range of vulnerabilities and makes them visible in an easy-to-action way. Once we saw what Fortify on Demand was capable of, we knew it was the solution for us.”
Fortify on Demand was soon implemented and the security team started scanning all applications using the service. The majority of applications come from vendors, but they all need to adhere to the centrally agreed security criteria before they are allowed within the Coca-Cola FEMSA IT infrastructure. Fortify on Demand provides an easy way to assess new applications within the portfolio to ensure they meet certain security standards before they are implemented in production. Scans are carried out simultaneously, and a straightforward portal interface provides full visibility to the process.
Jair García Osorio explains the day-to-day use of the solution: “The clear reporting within Fortify on Demand enables us to translate technical issues into business ones. Once a vulnerability is identified, there are different ways of fixing it. We can give the vendor a report which explains exactly what code changes need to be made to improve the solution. We have also created fixes for common problems that can be implemented automatically through the use of digital signatures.”
He adds: “Fortify on Demand helps us determine which security methodology to apply when assessing certain applications, depending on how critical they are to the business. The reporting we receive is clear and unbiased. In a single page we have the full status of an application, giving us a detailed and clear analysis of what needs to be done to fix any vulnerabilities. We share the reports with vendors or our own software developers to ensure all applications are meeting our high security standards when they enter our infrastructure.”
Fortify on Demand provides the Coca-Cola FEMSA team with the visibility and insight needed when purchasing applications. It has helped design a comprehensive security strategy to align with the company’s business goals. The security team was able to gain the respect of the whole company, beyond the IT department, by showing the risks and impact that the organization was exposed to and help them understand the importance of IT and application security.
Jair García Osorio says: “We consider Fortify on Demand a key service for our business. It helps us, and the rest of the organization, understand how applications work in the cloud. Thanks to that, we can minimize potential security issues in applications before they are allowed in our environment.”
He concludes: “Fortify on Demand fully supports our SOX-compliance and it enabled us to create clear security guidelines aligning all business areas involved in the introduction of a new application.”