DATEV eG

Moving to hybrid cloud infrastructure for more flexibility and scalability

DATEV has always prioritized data protection and security. That is why years ago it made the decision to implement Fortify to enhance application security (AppSec) at the code level within the software development lifecycle. At the time, DATEV’s IT strategy was managed with an on-premises datacenter-based infrastructure to support over 2,000 in-house developers. Fortify was perceived to be the best solution for static code scanning, as it supported the many programming languages in use with DATEV.

Using Fortify as part of our CI/CD pipeline has resulted in a marked reduction in vulnerabilities. This is clear in our penetration tests, and it means we spend much less time fixing bugs and more time enhancing applications with new features that our customers will benefit from.

Roman Belikow, Security Engineer at DATEV, explains how things evolved over the years: “In response to our customers’ changing business models, we felt we needed to adopt a more flexible and open approach. This, combined with the fact that our infrastructure had grown complex and was difficult to support and maintain, led us to a hybrid cloud strategy. We wanted to ensure that our applications could be deployed in the common public cloud options, such as AWS and Azure. This would also give us the opportunity to open our development processes to external development partners.”

He continues: “As part of the hybrid cloud move, we were delighted to discover Fortify Hosted, delivering secure DevOps in the cloud, with the ability to fully integrate DevSecOps pipelines. It leverages the same familiar user interface as Fortify on-premises and is typically cloud-hosted in a single tenant instance, simplifying maintenance and support. Still, it was a good opportunity to compare Fortify with other leading AppSec solutions to ensure it was still the right fit for us. We found that Fortify’s scan quality is better than the competitive solutions we compared it with. It is a very user-friendly solution, and it was great to see that over the years the language support has been extended even further to cover everything we need. We were clear that Fortify Hosted would be the right solution for us.”

Effective migration to Fortify Hosted boosts development collaboration

Expertly supported by OpenText (formerly Micro Focus), the DATEV team itself managed the migration from Fortify on-premises to Fortify Hosted. Mr. Belikow and the team leveraged independent Fortify script migration using various tools such as unified Fortify Command Line (fcli). Fortify was fully integrated in DATEV’s CI/CD development pipeline, using Jenkins as the automation server, GitLab and Azure for issue tracking, and leveraging Azure DevOps capabilities. Mr. Belikow comments on how Fortify is used on a day-to-day basis by the many DATEV development teams: “All our development teams embrace agile methods and, depending on the application, Fortify is leveraged to scan code daily, or sometimes weekly. Fortify is also used to enforce Infrastructure as Code (IaC) best security practices.”

For effective knowledge sharing within such a large development community, DATEV assigned security champions. These individuals receive advanced Fortify training and are available to answer any security-related questions from the development teams. There is a healthy exchange of security findings derived from Fortify and other tools, and sharing this information effectively often accelerates an issue fix and reduces false positives.

Introducing Fortify DAST to reduce complexity

Fortify was deployed for its industry-leading static application security testing (SAST) capabilities to identify code vulnerabilities early in the development cycle and fix them quickly. With data protection a top priority for DATEV, the team could dynamically scale SAST code scans up or down to meet the changing demands of the CI/CD pipeline. Fortify also provides dynamic application security testing (DAST) capabilities. It does this by simulating real-world external security attacks on a running application to identify issues and prioritize them for root-cause analysis. DATEV used a different tool for DAST, but in the move to Fortify Hosted it replaced its incumbent DAST tool with Fortify.

Mr. Belikow explains why: “We already had over 10 years of Fortify experience and had built extensive expertise within our development teams. Moving to cloud native and online applications, it felt natural to leverage Fortify’s DAST capabilities. This will help us reduce complexity as our developers can review the SAST and DAST scan results in the same user-friendly interface. Soon we also anticipate correlating the SAST and DAST results so that we can reduce our false positives rate and focus our efforts on the most critical vulnerabilities.”

Though still early in its DAST adoption, DATEV is expanding its Fortify training courses to include the DAST capabilities. This is especially important for its security operations center so that the teams can differentiate between actual cyber-attacks and the test attacks initiated by Fortify DAST.

Moving to cloud native and online applications, it felt natural to leverage Fortify’s DAST capabilities. This will help us reduce complexity as our developers can review the SAST and DAST scan results in the same user-friendly interface.

Reducing vulnerabilities paves the way for higher-quality applications

Moving to the hybrid cloud infrastructure does not happen overnight in a large organization such as DATEV. Many applications need to be adapted or replaced, and the migration requires a mindset change as well. Mr. Belikow comments: “With this new approach, we are much more open to working with external partners. It makes us more agile and able to move at the speed demanded by our customers. We have reduced our physical footprint, which supports our green IT objectives and saves costs associated with the management and support of a complex on-premises infrastructure. By moving to Fortify Hosted, our solution is always version-current, and any issues can be dealt with quickly by Micro Focus (now OpenText) directly.” He concludes: “All of our development projects have now been successfully migrated to Fortify Hosted. Using Fortify as part of our CI/CD pipeline has resulted in a marked reduction in vulnerabilities. This is clear in our penetration tests, and it means we spend much less time fixing bugs and more time enhancing applications with new features that our customers will benefit from. We are impressed with how Fortify has evolved over all these years and the expertise demonstrated by Micro Focus (now OpenText) support whenever we have any queries.”