While Tieto has a software development organization of about 3,000 employees, it maintains a relatively small security team, primarily focused on network, infrastructure, and business security issues.
“One of the key challenges we faced is that we did not have a centralized way of doing application level security testing,” notes Sami Suro, Director for Business Solutions. “We pay a lot of attention to network and business security but, until recently, application security has not received the same level of scrutiny.”
According to Suro, over the past few years, the firm has seen a major increase in demand from internal and external customers for new web and mobile applications for both horizontal and vertical industry uses. “Mobility is transforming entire business models, service models, and revenue models,” he remarks. “Our major sector customers expect us to be able to meet all their application needs, and that includes web and mobile applications as well.”
He continues, “We understood the message from our customers that they want us to include application level security assessment and remediation as part of our complete development services,” Suro explains. “Our development teams had been using some open-source tools for the application security testing we were doing. However, after we began using Fortify on Demand, we realized how much more accurate and better the results could be. The increased visibility we can provide to the many stakeholders involved with every application is a tremendous advantage.”
To ensure that the company can identify and fix vulnerabilities in real time and get their applications into production faster, Tieto’s development teams moved away from a waterfall approach (where progress is seen as flowing through the software development lifecycle from design, development, testing, to production) and toward an agile, DevOps method. This switch allows teams to work on software in increments and perform rapid development ‘sprints’ with daily releases.
With the DevOps approach, they embedded security into their process, so risks are minimized by reviewing flaws, bugs, and vulnerabilities in the development and testing lifecycle prior to release.
Automation has played a key role in enabling the process, code verification, and release into production. Tieto is a longtime partner of Micro Focus and is currently a Tier 1 reseller. The firm uses Micro Focus Application Delivery Management (ADM) solutions to ensure quick time-to-market and quality applications across multiple technology platforms. When Micro Focus’s representative suggested he look into Fortify on Demand, Suro did not hesitate.
“We realized that it did not make sense for us to even consider an on-premises solution,” says Suro. “We didn’t have the resources or experience to manage that type of system so it made perfect sense to use Fortify on Demand in the cloud and in cooperation with our partner – [Micro Focus].”
One of the first uses of Fortify on Demand was to scan existing industry-specific applications, for which Tieto is widely known. Many of Tieto’s vertical industry users operate on a global scale and are heavily regulated, making compliance risk a genuine concern; therefore, it was crucial to heavily test the new applications.
The Tieto applications used by the oil and gas industry and financial services were among the first to be assessed using Fortify on Demand. Software security has become a must-have for these and other industries. Fortify on Demand is an extension of their security team and allows Tieto to perform fast and accurate assessments, identifying more than 750 vulnerability categories. There are no additional resources required, nothing to install or manage, and no esoteric expertise required. The solution also allows Tieto to test any third-party or open-source software as well.
“Let’s just say the results from our initial scans were very revealing,” Suro notes. “In that sense, Fortify on Demand is already paying for itself.”
Soon after Tieto began using Fortify on Demand for its own application security assessments, the firm introduced a new application testing service for their customers. Tieto Application Security Testing with Fortify on Demand is now available for static application security testing (SAST) and/or dynamic application security testing (DAST) in either one-time testing or continuous service for 12 months.
Tieto recommends clients enroll in continuous service if they are working on a new application development project and intend to find new vulnerabilities during the development cycle, thereby avoiding costly corrections later. “Our customers are essentially in the same position we’re in, in many cases,” Suro says. “This service is a natural extension of the quality assurance work they have been doing. Our customers are seeing the increasing demand for mobile and web applications and this new service gives us a chance to help them take the next step. Yes, it’s a new revenue source for us, but more importantly, it is a valuable service that can reduce the risk posed by application vulnerabilities.”
Suro mentions that one of Tieto’s leading oil and gas customers was already using another application security testing solution and wanted to compare it with Fortify on Demand. The customer enrolled in Tieto’s new cloud-based testing service and discovered a significant difference in the quality of results.
“They found that Fortify on Demand was much better than the solution they had been using,” he notes. “Our customer works in a very sensitive industry and cannot afford to take any unnecessary risks when it comes to security. They appreciate the reporting and dashboards that Fortify on Demand provides. The recommendations are much clearer and developers are able to make fixes more easily when compared to the previous solution. Fortify on Demand directs them where to go in the code and confirms what needs to be analyzed. For instance, maybe you’re having a SQL injection vulnerability or cross-site scripting. Fortify on Demand is very clear about what to fix and provides you with best practices moving forward."
Less Vulnerable Future
Security Fortify on Demand provides user-friendly dashboards and reports that make it easy for Tieto to manage their application portfolio and collaborate across distributed teams. Reports provide relevant metrics filtered by severity, vulnerability category, business unit, region, and other company data. Critical vulnerabilities are identified and prioritized, including the highest risk applications and trending history.
“Every person in the development process gets the information they need from this solution,” Suro emphasizes. “Fortify on Demand provides a five-star rating level for each application assessed, which allows our customers to compare applications and even compare service providers in some cases.”
He concludes, “We see a high demand for this service by both our own development groups and our external customers. We have the flexibility to assess any application, including in-house, open source, mobile, web, or third-party applications. It’s not just another tool we’re buying. Fortify on Demand is a comprehensive application security solution.”