countries operated in
Tieto needed to efficiently and effectively find and fix exploitable vulnerabilities in new and existing applications.
Despite its software development prowess and experience, the firm struggled, until recently, with ways to efficiently and effectively find and fix exploitable vulnerabilities in new and existing applications.
While Tieto has a software development organization of about 3,000 employees, it maintains a relatively small security team, primarily focused on network, infrastructure, and business security issues.
“One of the key challenges we faced is that we did not have a centralized way of doing application level security testing,” notes Sami Suro, Director for Business Solutions. “We pay a lot of attention to network and business security but, until recently, application security has not received the same level of scrutiny.”
According to Suro, over the past few years the firm has seen a major increase in demand from internal and external customers for new web and mobile applications for both horizontal and vertical industry uses. “Mobility is transforming entire business models, service models, and revenue models,” he remarks. “Our major sector customers expect us to be able to meet all their application needs, and that includes web and mobile applications as well.”
He continues, “We understood the message from our customers that they want us to include application level security assessment and remediation as part of our complete development services,” Suro explains. “Our development teams had been using some open-source tools for the application security testing we were doing. However, after we began using Fortify on Demand, we realized how much more accurate and better the results could be. The increased visibility we can provide to the many stakeholders involved with every application is a tremendous advantage.”
Sami Suro – DIRECTOR OF BUSINESS SOLUTIONS
Tieto is one of the largest software and ICT services companies in the Nordics, providing full IT services and global product development. Based in Espoo, Finland, the firm has 14,000 employees, 900 customers, and operates in 23 countries.
Micro Focus Fortify on Demand delivers precisely the capabilities Tieto needed – and does the job so well that Tieto now offers its clients a security solution based on Fortify on Demand.
The firm began in 1968 as a computer center for a local bank and certain industrial customers. Tieto has evolved with the IT industry, and last year announced a new strategy for the 2016–2020 period whereby the company will enhance its competitiveness and growth through three strategic choices: 1) services to accelerate customer value; 2) Nordic leadership and international expansion; and 3) active participation in open ecosystems and co-innovation.
One of Tieto’s strongest growth areas is in software development services for internal purposes, specific clients, and vertical industry solutions. The firm provides leading solutions used by industries such as oil and gas, financial services, forestry, manufacturing, media, retail, and telecom.
Sami Suro – DIRECTOR OF BUSINESS SOLUTIONS
To ensure that the company can identify and fix vulnerabilities in real time and get their applications into production faster, Tieto’s development teams moved away from a waterfall approach (where progress is seen as flowing through the software development lifecycle from design, development, testing, to production) and toward an agile, DevOps method. This switch allows teams to work on software in increments and perform rapid development ‘sprints’ with daily releases. With the DevOps approach, they embedded security into their process, so risks are minimized by reviewing flaws, bugs, and vulnerabilities in the development and testing lifecycle prior to release.
Automation has played a key role in enabling the process, code verification, and release into production. Tieto is a longtime partner of Micro Focus and is currently a Tier 1 reseller. The firm uses Micro Focus Application Delivery Management (ADM) solutions to ensure quick time to market and quality applications across multiple technology platforms. When a representative suggested he look into Fortify on Demand, Suro did not hesitate.
“We realized that it did not make sense for us to even consider an on premise solution,” says Suro. “We didn’t have the resources or experience to manage that type of system, so it made perfect sense to use Fortify on Demand in the cloud.”
Fortify on Demand is an extension of Tieto’s security team and allows Tieto to perform fast and accurate assessments, identifying more than 750 vulnerability categories. There are no additional resources required, nothing to install or manage, and no esoteric expertise required. The solution also allows Tieto to test any third-party or open source software.
“Let’s just say the results from our initial scans were very revealing,” Suro notes. “In that sense, Fortify on Demand is already paying for itself.”
Soon after Tieto began using Fortify on Demand for its own application security assessments, the firm introduced a new application testing service for its customers. Tieto Application Security Testing with Fortify on Demand is now available for static application security testing (SAST) and/or dynamic application security testing (DAST) in either one-time testing or continuous service for 12 months.
Tieto recommends that clients enroll in continuous service if they are working on a new application development project and intend to find new vulnerabilities during the development cycle, thereby avoiding costly corrections later. “Our customers are essentially in the same position we’re in, in many cases,” Suro says. “This service is a natural extension of the quality assurance work they have been doing. Our customers are seeing the increasing demand for mobile and web applications and this new service gives us a chance to help them take the next step. Yes, it’s a new revenue source for us, but more importantly it is a valuable service that can reduce the risk posed by application vulnerabilities.”
Suro mentions that one of Tieto’s leading oil and gas customers was already using another application security testing solution and wanted to compare it with Fortify on Demand. The customer enrolled in Tieto’s new cloud-based testing service and discovered a significant difference in the quality of results.
“They found that Fortify on Demand was much better than the solution they had been using,” he notes. “Our customer works in a very sensitive industry and cannot afford to take any unnecessary risks when it comes to security. They appreciate the reporting and dashboards that Fortify on Demand provides. The recommendations are much clearer and developers are able to make fixes more easily when compared to the previous solution. Fortify on Demand directs them where to go in the code and confirms what needs to be analyzed. For instance, maybe you’re having a SQL injection vulnerability or cross-site scripting. Fortify on Demand is very clear about what to fix and provides you with best practices moving forward.”
Micro Focus Fortify on Demand provides user-friendly dashboards and reports that make it easy for Tieto to manage its application portfolio and collaborate across distributed teams. Reports provide relevant metrics filtered by severity, vulnerability category, business unit, region, and other company data. Critical vulnerabilities are identified and prioritized, including the highest risk applications and trending history.
“Every person in the development process gets the information they need from this solution,” Suro emphasizes. “Fortify on Demand provides a five-star rating level for each application assessed, which allows our customers to compare applications and even compare service providers in some cases.”
He concludes, “We see a high demand for this service by both our own development groups and our external customers. We have the flexibility to assess any application, including in house, open source, mobile, web, or third-party applications. It’s not just another tool we’re buying. Fortify on Demand is a comprehensive application security solution.”