Location World

Securing a growing application landscape

Location World has established strategic alliances in the region with big players in the market with innovative and disruptive B2B and B2B2C business models connecting thousands of vehicles and Internet of Things (IoT) devices, with several use cases for different industry segments that help them in its day-to-day operations to maximize their efficiency and return on investment (ROI) in less time. In the words of CIO Jaime Baracaldo, the company generates and implements powerful “Telematics Mega Ecosystems” with highest add value throughout digital transformation and Internet of Things (IoT) with PaaS and SaaS solutions around the world generating high impact.

To develop and deploy its array of web and mobile applications and microservices, the company counts on an in-house development team that follows an agile, DevOps approach. As Wilson González, DevOps manager at Location World, explains: “In total we have 789 microservices and 460 pipelines, so you can imagine the transaction volumes that we generate day by day.”

Delivering applications and microservices with the highest levels of quality, stability, and security has always been a top priority for Location World. However, with development workload continuously growing, the company was keen to adopt a more scalable and rigorous approach to managing application security.

González continues: “We’ve always been trying to innovate in terms of security. Our first beginnings were manual. Then, we introduced a cloud-based code quality and security tool. As our operations grew, we found ourselves reaching the limits of this tool. We needed something more, and that’s why we decided to look for a solution that supported both static (SAST) and dynamic (DAST) analysis integrated with our DevOps pipelines.”

We received excellent sales and technical support from OpenText, which set the tone for a smooth and successful implementation. We decided to work with Telefónica on this project. Their specialists had great knowledge about the Fortify tools and how to best integrate them with our development process.

Finding the right solution

Supported by longtime partner Telefónica, Location World launched the search for a solution, and soon homed in on Fortify: a unified vulnerability management platform that integrates static, dynamic, and mobile application security testing with continuous application monitoring.

Not only was Location World impressed by Fortify’s comprehensive, enterprise-grade application security capabilities, OpenText™ Cybersecurity also offered strong local language support, which proved to be a key differentiator.

Following a promising proof-of-concept, Location World moved ahead with an implementation of Fortify on demand by OpenText—an application security-as-a-service solution running in the Cybersecurity cloud—and Static Code Analyzer, deployed in the company’s private Microsoft Azure and Google Cloud environment.

Throughout the implementation, Location World was able to count on strong support from both Telefónica and Cybersecurity. Baracaldo confirms: “We received effective sales and technical support from OpenText, which set the tone for a smooth and successful implementation. Telefónica specialists had great knowledge and gave us their guidance about the Fortify tools and how to best integrate them with our processes.”

Integrated, automated application security testing

Today, Fortify Static Code Analyzer is integrated seamlessly with Location World’s Integrated Development Environments (IDEs)—Microsoft Visual Studio, Android Studio and Xcode—as well as its Azure DevOps integration platform, used to create build and deployment pipelines. Fortify Static Code Analyzer pinpoints the root causes of security vulnerabilities in source code, prioritizes results sorted by severity of risk, and provides detailed guidance on how to fix vulnerabilities. Alongside this, Location World uses Fortify on Demand to perform final checks on code before it is released.

Baracaldo explains how the Fortify solutions are used on a day-to-day basis: “When a developer launches an upload for DevOps to the pipeline, Fortify Static Code Analyzer automatically launches the vulnerability analysis and shares the results with our Security Operations Center (SOC) in real time. After that, the SOC then carries out the dynamic analysis process with the Fortify on demand module to certify whether or not the code passes. If it does not pass, there is no approval to go to production and an analysis with the development team is required to fix the detected vulnerabilities before SOC can retest and approve publishing any code to the production environment.”

Fortify allows us to analyze a greater volume of code in a much more agile and rapid way. Now, our pipelines usually reach me without vulnerability errors because they’ve already been detected up front in the development process.

Delivering secure software, fast

With Fortify now integrated into its development cycle, Location World can scan for software vulnerabilities in parallel with development processes and fix any issues as they arise. The Cybersecurity solution is helping both development and security teams work more productively, and has steadily driven down the number of potential vulnerabilities identified during development.

“Fortify allows us to analyze a greater volume of code in a much more agile and rapid way,” notes Gonzalez. “Now, our pipelines usually reach me without vulnerability errors because they’ve already been detected up front in the development process.”

Gabriel Ayala, SOC manager at Location World, adds: “Fortify has helped our development team to substantially improve the way they identify and mitigate vulnerabilities in code. We can also replicate these improvements in other applications, which contributes to higher-quality code across the entire organization.”

Comprehensive vulnerability management gives Location World the confidence that it is releasing highly secure and reliable applications. In turn, this is helping the company strengthen its global recognition.

Baracaldo concludes: “Many of our clients also have a control process where they perform their own vulnerability analysis, so they’ve been able to see first-hand the improvements that we’ve made since introducing Fortify. It’s a very positive situation for everyone: our clients have greater peace of mind about the applications they’re using, and we grow our recognition as a global provider of high-quality, secure software.