X
Unit4’s next-generation enterprise solutions power many of the world’s most people-focused mid-market services organizations. Their state-of-the-art cloud platform, ERPx, delivers unified ERP, HCM and FP&A combining functionality designed for service-centric industries and user experience that puts people first. It supports rapid and continuous change while delivering individualized fit for customers at scale, delivering the right tools to unify the processes across their organization, and connect their people. Unit4 serves more than 6,000 customers globally including, Bravida, Havas, Migros Aare, Americares, Save the Children International, Action against Hunger, Metro Vancouver, Forest Research, Southampton City Council, Habitat for Humanity, Selkirk College, FTI Consulting, and Surrey County Council.
"With Contrast Assess we had an average of 7% of false positives against the 57% in the pen-test reports received from our customers.”
- Jose Oca, Lead Quality Manager, Unit4
In 2014, Unit4 embarked on an ambitious strategic initiative to adopt the DevOps methodology companywide, consolidate a patchwork of software solutions developed for different markets, streamline application security and quality control efforts, and move in the direction of a cloud-based delivery model for all its products.
As a part of this reorganization, a centralized quality assurance group was formed that reports to the CTO. José Oca, an 11-year veteran of the company, was asked to join that group. “We were all aiming to achieve a consistently high level of quality across the whole portfolio,” he recalls.
Traditionally, each product operated in a silo with its own development and quality assurance functions. “Each area used different methodologies and different tools,” Oca remembers.
Fast forward to today, Unit4’s digital transformation is firmly on track. Oca explains. “We use Azure DevOps Services; we have built an entire microservices ecosystem to make this happen. This will enable us to release software continuously and localize our product offerings without maintaining separate applications for each iteration”.
In the past, application security was a part of the piecemeal approach, Oca and the Quality team began to look at how to streamline those efforts when the new team formed.
“We had a group of security experts in the Oslo office that took care of implementing the main security layers at the core-level technical platform level,” Oca relates. “Among others, the main steps that were taken to ensure application security were initial and pre-release architectural reviews by the in-house security team, and manual penetration testing conducted by a third party”.
Oca and the Quality team worked to standardize the process across all applications. “We developed policies and checklists that streamlined the process somewhat and made expectations clear for everyone. We created a complete security curriculum that was published in our internal training platform and distributed among all the engineering employees, to create a security culture that would impact the whole software development lifecycle”, he says. However, it was clear that Unit4 needed to deliver an automated approach to the new digital transformation around application security tools and practices for its development process.
Oca and the Quality team began evaluating a variety of application security tools, including traditional SAST, dynamic application security testing (DAST), and software composition analysis (SCA). “We started to create our own rules in some of these tools, but we quickly realized that using these tools requires a high level of expertise and a lot of customization. We knew we needed to externalize these capabilities.”.
Late in the process, the team discovered Contrast Assess and requested a proof of concept. “It was one of the fastest proofs of concept that we had,” Oca recalls. He quickly realized that Contrast Assess was ideal for their needs. “This was precisely the level of automation we were looking for, and it only required a pretty basic setup”, he says. Unit4 deployed the solution, along with the native integrations with Microsoft Teams.
Contrast Assess uses instrumentation to conduct continuous security scanning from within the application. Immediately upon the creation of a vulnerability, whenever that functional area is exercised, the Contrast Application Security Platform sends an alert with contextual, actionable information that helps the engineer fix the problem right away, without involvement from anyone on the security team. Vulnerabilities can be remediated before additional layers of code are added, making remediation less complicated, time-consuming, and costly.
“The immediate feedback is very good at helping engineers learn not to create the same vulnerability twice. It is very didactical. Over time, our engineers learn to avoid a wide variety of vulnerabilities.”
– Jose Oca, Lead Quality Manager, Unit4
Just a few months after deployment, Unit4 started to take advantage of the benefits. Among others:
Contrast Assess eased Unit4’s digital transformation. By combining mid-sized experience – with a relentless focus on people – onto an industry-leading cloud platform, Unit4 has built finance and HR solutions to be just right 4U, and help transform the way people work. With Unit4 ERPx, the company introduces the next generation of smart cloud ERP. “We have the right automation in place for our application security, and our engineers are learning to write more secure code,” Oca concludes. “As a result, we are in a great place and the future is looking bright for us.”
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo
