Baltic Amadeus

Automated application security testing to improve time to market

The organization releases many applications each month to its customers. Delivering high quality custom software solutions requires close cooperation and an assurance that the application will be cyber resilient. The team introduced code quality review practices involving static and dynamic code analysis, and this has evolved to include security related scanning too. Vitalis Kavaliauskas, Chief Technology Officer at Baltic Amadeus, explains further: “With 10-20 software development projects on the go every day, we have defined processes and KPIs to ensure security testing is never skipped or forgotten. At the same time, we are aware that automating test execution can help our time to market objectives. We felt the tools we used for this did not support the automation potential as much as we wanted.”

We see [Fortify] WebInspect as a very important link in our value chain and look forward to further testing automation and expanding our use of the solution.

The team conducted a proof-of-concept (POC) with various alternative solutions, including OpenText™ Fortify™ WebInspect. This is an automated dynamic application security testing (DAST) solution that provides comprehensive vulnerability detection and helps security professionals and QA testers identify security vulnerabilities and configuration issues. “Our own technical team was involved in the POC to evaluate the potential solutions,” says Kavaliauskas. “They liked [Fortify] WebInspect’s REST API capabilities. This benefits integration and has the flexibility to be managed through an intuitive UI or run completely via automation which is exactly what we need. An attractive price point was the final deciding factor for us.”

Our technical team liked [Fortify] WebInspect’s REST API capabilities. This benefits integration and has the flexibility to be managed through an intuitive UI or run completely via automation which is exactly what we need. An attractive price point was the final deciding factor for us.

Increased automation supports growing need for web and mobile security

Once Fortify WebInspect was implemented, the team integrated it into the software development toolsets to ensure that security testing is automated where possible. Depending on the projects and the customers, Baltic Amadeus leverages a variety of tools, ranging from the typical IDEs such as Visual Studio, Eclipse, WebStorm, and Android Studio, to application build servers such as Jenkins, GitLab CI, Azure DevOps, and AWS CI. The team uses JIRA for issue tracking purposes. Fortify WebInspect has the potential to integrate with any of these technologies which will reduce manual effort for security testing.

Fortify WebInspect is now used to perform dynamic application security testing as part of the quality assurance process when new software versions are released. Dedicated security analysts execute the scans and provide the results and feedback to the development teams who are then responsible for fixing any issues. This systematic centralized assessment reduces vulnerabilities in new and existing applications. The increased automation meets client’s growing need for web and mobile application security with detailed scan reports.

Kavaliauskas concludes: “We promise to deliver high quality and secure customer software solutions to our customers. Our internal processes, tools, and roles ensure compliance with industry best practices and standards. We see [Fortify] WebInspect as a very important link in our value chain and look forward to further testing automation and expanding our use of the solution.”