Introduce standard application security processes to adhere to legislative requirements in a distributed development environment.
The Technical Product Manager for the organization explains why security is so vital: “In our particular industry, customer loyalty cannot be taken for granted. We are entrusted with our customer’s confidential personal details and we must guarantee the security of our systems. The advent of increased legislative drive around security, with GDPR and PCI-compliance, combined with the high-profile nature of security breaches when they happen, made us realize that we need to embed security into our development processes.”
TECHNICAL PRODUCT MANAGER
Leading global provider of mobility services
The organization has a very active in-house application development team working on over 100 applications, ranging from insurance portals, websites, reservation management, and many more. With mobile applications becoming stronger and more heavily integrated, all applications are developed across interdependent platforms in a hybrid waterfall and agile process, well on the way to a fully automated DevOps model.
Market research led the team to Micro Focus Fortify on Demand. This application security as a service solution helps developers stay ahead of the threat landscape. With it, they can find and fix issues earlier with static assessments, open-source analysis, audited scan results, remediation advice, and more. The service model works particularly well, as the Technical Product Manager comments: “We have distributed teams, with application development taking place in several global locations, as well as 3rd party vendor support. With Fortify on Demand all our developers and security teams can easily access security testing services and manage results from anywhere. Furthermore, everything is done consistently in all locations without the need to continually add and manage infrastructure.”
Fortify on Demand has quickly become an integral part of the development and security processes, and over 70 developers rely on it daily to security scan application iterations before merging back into production releases. Most applications are released monthly or biweekly, and with over 100 applications Fortify on Demand is used constantly. Release orchestration with Jenkins and Bamboo is seamlessly integrated into the Fortify on Demand process, triggering scans with every build. Leveraging Fortify Security Assistant, developers receive real-time security feedback directly in their Eclipse IDE to highlight any vulnerabilities as the code is being written.
Fortify on Demand finds vulnerabilities in scanned code to provide a baseline for remediation and a benchmark against which to check new code. Unless the new baseline is at least at the same level, or improved, the new code will not be merged into production. This is important, as it prevents errors from being introduced inadvertently. Unravelling these code errors once applications have gone into production potentially exposes the organization to breach and is significantly more time-consuming than fixing issues during development.
TECHNICAL PRODUCT MANAGER
Leading global provider of mobility services
The Technical Product Manager likes the reporting capabilities: “Before we introduce new releases we present to the heads of infrastructure and application support. Having the Fortify on Demand reports to prove that we are not introducing any errors is incredibly valuable to this process. Individual development teams also use Fortify on Demand reports to analyze scan results, and I run weekly reports to determine how we’re tracking against expectations from our stakeholders.”
He confirms that Fortify on Demand is easy to use. It is straightforward to upload the code and execute the security scan. As a result, he has seen the efficiency gains: “Compared to a peer-review process which we would otherwise have to do, Fortify on Demand enables us to complete the security process in a matter of a couple of days, rather than weeks. We have accelerated our time to market with new releases, while increasing our application quality.”
This is an innovative organization with many technology plans to make life easier for customers and partners. Its ongoing commitment to driving innovation paves the road to the future and to creating a competitively superior experience for its customers.
The Technical Product Manager concludes: “The more complexity we introduce into our applications, the more our code needs to be security-checked before we release. Our partnership with Micro Focus is based on open communication, and regular reviews to maximize our efficiency with the solution. This has ensured that Fortify on Demand is an instrumental part of our structured release management life cycle.”
