Reducing Application Vulnerabilities and Overall Business Risk
Weaving Security into the Developer's Mindset and Processes
Banking / Financial Services
United States, United Kingdom, and Asia
Quickly, continuously, and cost effectively help developers and security teams identify and remediate application vulnerabilities earlier in the Software Development Life Cycle (SDLC)
Contrast Security has increased our level of confidence in ensuring the quality and security of our software applications. It has empowered our developers and it is an integral part of our SDLC. As a result, it has enhanced developer productivity and security."
Head of Application Security
Security was becoming increasingly important for one of the 10 largest banks in the world as it embarked on a process of Digital Transformation to streamline its domestic and international business.
The bank provides a fully integrated suite of financial products and services including retail, business and institutional banking, funds management, insurance, investment and brokerage services, and has more than 1,000 branches worldwide, 5,000 ATMs, over 50,000 employees, and millions of customers.
The head of the Application Security (AppSec) organization at the bank was responsible for establishing and executing the bank’s AppSec capabilities and integrating security in software development. Over the last few years, the AppSec team has depended on static tools to ensure the security of the software they develop in-house.
Changes in technology and the evolving threat landscape had motivated the bank to boost its defenses - requiring a
The changing technology challenges that the bank faced could be attributed to “Digital Transformation” - with software at the heart of this major shift. The bank had utilized the latest software methodologies to transform the way they ran their businesses – better customer experiences, business efficiencies, time and cost optimization. Most importantly, the bank wanted to stay relevant and competitive in the changing digital environment.
As part of its brand and reputation, the bank delivers seamless customer experiences, in smart and innovative ways and has a reputation for excellent customer experiences, service
Integrating Agile with DevOps
The organization’s software had been developed and released at an increasingly rapid pace since the development team had combined Agile sprints with DevOps methodologies. As a result, the bank innovated faster, realized greater efficiencies and differentiated its products and services.
But, continually rolling out software at a faster rate introduces potential vulnerabilities and greater business risk. It became key for the bank to manage and balance between speed and risk.
The head of the AppSec team found that some of the bank’s current AppSec tools and processes were inadequate in addressing the issues that he faced.
That gap was placing a strain on the workload of his developers:
- Code release delays caused by traditional Static (SAST) and Dynamic (DAST) Application Scanning Tools
- Scalability concerns using scanning tools for every single release
- Manual testing delays in development
- Time-consuming in developer training and education
It was clear to the bank that they needed to move toward more Agile security processes.
The ease of using Contrast Assess allowed the team to seamlessly integrate into their Agile and DevOps SDLC processes while enhancing their current security posture.
Contrast Assess provided highly accurate results for developers without the dependence on experts for triage.
Developing Secure Code
The bank currently has over 4,000 developers - comprised of internal staff, third parties and outsourced consultants including Penetration Testers (pen testers). These groups focus on the continuous development, release, maintenance, and security of thousands of applications. The applications are a combination of internally developed software and off the shelf Open Source Software (OSS).
The bank had been rapidly moving toward using microservices for the platforms used by the banks numerous business units. The platforms are used across multiple business units and composed of numerous microservices - these include the bank’s Flagship customer retail banking internet platform, as well as their business banking and digital asset platforms.
“We compared offerings from several leading AppSec testing suppliers. Contrast Security proved to be the most attractive, being the right tool for the right job.
– David, Head of Application Security
Integrating Security with Agile
The organization realized that software releases can be negatively impacted if code vulnerabilities are identified toward the end of the SDLC. This adds to increased delays and significant cost to remediate. At the bank, security practices need to keep pace with software development in Agile and DevOps environments. This shifts security from being a bottleneck to an enabler.
Contrast has provided the bank with security that ts with continuous integration and delivery (CI/CD), microservices and other development processes.
By intersecting development, security, and operations, the bank successfully implemented a continuous and efficient way to roll out secure code. Furthermore, the software can now be created and deployed much faster, without compromising security – at the speed of Agile and DevOps.
The bank can now focus on remaining highly agile, developing quality code while mitigating software risk.
Customer Business Benefits:
- Code created is highly secure before it is released into production environments
- Reduction in pen testing costs through optimized processes
- AppSec team is able to deliver software security on a broader scale, and for a much lower cost, than when using legacy SAST and DAST tools.
- Application Security fits seamlessly into Agile and DevOps processes
- Enabled and educated the development team by merging security with quality coding
- Increased code quality and overall performance of their developers
Get Secure Code Moving
Now for Free
Schedule a one-to-one demo to see what the Contrast Secure Code Platform could do for you.