<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=113894&amp;fmt=gif">

CUSTOMER SUCCESS

Achieve Complete Application Security Test Coverage for the Entire Software Portfolio

Developers Love Application Security at Financial Services Firm

Financial-services-application-security.png

Organization Snapshot

Industry: Financial Services

Contrast Involvement: The development team has been using Contrast for over two years and has nearly eliminated vulnerabilities introduced in later stages of the SDLC. Vulnerability resolution also went from taking weeks and months to only a few hours.

"Having Contrast lets you continuously address application security, and changes the landscape of secure application development. I am glad we chose Contrast...the company. Not only is the product impressive, but the support has been outstanding, If you work like this with all your customers, I don't know when you have time to sleep!"
Garrett
Application Development Manager

Challenge

Software application security has always been a top priority in all decisions for this financial services firm. A data breach would mean exposing customer data, potential financial losses for the company and its clients, and huge damage to the company’s reputation. Existing application security tools were inaccurate and ineffective, causing developer disengagement, product delays, and negative business impacts.

Disconnect Between Development & AppSec

Historically, the IT Security team at the firm was focused on network security, and relied on perimeter security solutions to protect their applications and data. They tested pre-production applications with third-party application security scanning tools and network penetration tests, late in the software development lifecycle (SDLC). The application development team had little-to-no involvement in application security.

They received annual training on secure coding best practices, but the training didn’t keep pace with advances in application development and hacking. Code scanning tools and manual code reviews were difficult to work with and disrupted their development process. Application security reviews would occur only once the application had been fully written. The development team was left uninformed, only to be blindsided by issues uncovered in the preproduction environment. Weeks – or even months – would elapse

Inadequate Information for the Security Team

When it came to application security, the security team lacked the visibility needed to work efficiently and effectively. Their scanner tool reported many types of vulnerabilities in the application – mostly false positives – and the reports also lacked the information and guidance developers needed to find and fix errors. Developers needed insight into the numerous third-party libraries used in their applications, but existing tools provided very little information. Penetration tests also generated few relevant findings.

To close these gaps, the developers spent a tremendous amount of time going back and forth with the scanning tool vendor to help recreate issues – because their tool couldn’t locate vulnerabilities in the code. Once the team validated the real security issues, they then spent hours trying to research the vulnerabilities and identify fixes. They couldn’t be proactive or incorporate security into their standard operating processes, and this was frustrating.

Business Impacts

The existing tools and processes ultimately prevented a complete security analysis of their applications. Because the firm couldn’t deploy applications until they were known to be secure, these limitations delayed delivery of new business-critical software functionality.

Discovering Contrast Security

The Security Director at the company was researching software security alternatives when he saw a Contrast Assess demo at a trade show. He and his team were impressed by the product’s unique approach to finding and presenting vulnerability data in a way that was understandable by both developers and the security team. Contrast Assess works from within the application, without requiring any configuration changes.

Its quick and easy installation, detailed dashboard, and real-time, continuous approach solved many of the application security challenges they were facing. To accelerate deployment and simplify ongoing operations, they decided to onboard the SaaS version of Contrast Assess.

Results

Using Contrast’s continuous security testing, the application development team has improved the security of their applications and can provide predictable delivery – without adding headcount or expertise to the team. Real-time results allow developers to fix problems as they come up throughout the development process, rather than waiting until the end and hoping the scans don’t find anything. The application development manager, Garrett, now keeps the entire development team informed and in control of his applications’ security status by using the visibility provided by Contrast.

 

“I am not a deer in the headlights, like I used to be. Since deploying Contrast, I have been able to stay informed and keep my team on top of security.”

Garrett
Application Development Manager

Access to detailed, actionable information – where vulnerabilities come from, why they are important, and how to fix them – keeps his team at the forefront of security. They are no longer consumers, but owners of their applications’ security.

The insight Contrast Assess provides into custom and third-party code helps the development team identify which libraries have vulnerabilities and whether their firm’s applications are using vulnerable code within those libraries; this had been a major blind spot with their old scanning tool.

Contrast’s code-level guidance has helped the development team nearly eliminate vulnerabilities introduced in the later stages of the SDLC. Contrast has also reduced vulnerability resolution time from weeks and months to hours.

“There is no more ‘Release. And wait. And hope,’” the Application Development Manager added.

Reading on the go?

Download a PDF of this case study to save it for later.
Download PDF
cta-background-image.png

Discover how easy it is to spot and stop attacks.

See what the new era of self-protecting software looks like. Schedule your live demo.
Get Demo