Software application security has always been a top priority in all decisions for this financial services firm. A data breach would mean exposing customer data, potential financial losses for the company and its clients, and huge damage to the company’s reputation. Existing application security tools were inaccurate and ineffective, causing developer disengagement, product delays, and negative business impacts.

Disconnect Between Development & AppSec

Historically, the IT Security team at the firm was focused on network security, and relied on perimeter security solutions to protect their applications and data. They tested pre-production applications with third-party application security scanning tools and network penetration tests, late in the software development lifecycle (SDLC). The application development team had little-to-no involvement in application security.

They received annual training on secure coding best practices, but the training didn’t keep pace with advances in application development and hacking. Code scanning tools and manual code reviews were difficult to work with and disrupted their development process. Application security reviews would occur only once the application had been fully written. The development team was left uninformed, only to be blindsided by issues uncovered in the preproduction environment. Weeks – or even months – would elapse.

Inadequate Information for the Security Team

When it came to application security, the security team lacked the visibility needed to work efficiently and effectively. Their scanner tool reported many types of vulnerabilities in the application – mostly false positives – and the reports also lacked the information and guidance developers needed to find and fix errors. Developers needed insight into the numerous third-party libraries used in their applications, but existing tools provided very little information. Penetration tests also generated few relevant findings.

To close these gaps, the developers spent a tremendous amount of time going back and forth with the scanning tool vendor to help recreate issues – because their tool couldn’t locate vulnerabilities in the code. Once the team validated the real security issues, they then spent hours trying to research the vulnerabilities and identify fixes. They couldn’t be proactive or incorporate security into their standard operating processes, and this was frustrating.

Business Impacts

The existing tools and processes ultimately prevented a complete security analysis of their applications. Because the firm couldn’t deploy applications until they were known to be secure, these limitations delayed delivery of new business-critical software functionality.

Discovering Contrast Security

The Security Director at the company was researching software security alternatives when he saw a Contrast Assess demo at a trade show. He and his team were impressed by the product’s unique approach to finding and presenting vulnerability data in a way that was understandable by both developers and the security team. Contrast Assess works from within the application, without requiring any configuration changes.

Its quick and easy installation, detailed dashboard, and real-time, continuous approach solved many of the application security challenges they were facing. To accelerate deployment and simplify ongoing operations, they decided to onboard the SaaS version of Contrast Assess.

“I am not a deer in the headlights, like I used to be. Since deploying Contrast, I have been able to stay informed and keep my team on top of security.”

– Garrett, Application Development Manager