Reducing Application Vulnerabilities and Overall Business Risk

Weaving Security into the Developer's Mindset and Processes


Organization Snapshot

Industry: Banking / Financial Services

Location(s): United States, United Kingdom, and Asia

Challenge: Quickly, continuously, and cost effectively help developers and security teams identify and remediate application vulnerabilities earlier in the Software Development Life Cycle (SDLC)

"Contrast Security has increased our level of confidence in ensuring the quality and security of our software applications. It has empowered our developers and it is an integral part of our SDLC. As  a result, it has enhanced developer productivity and security."
Head of Application Security


Security was becoming increasingly important for one of the 10 largest banks in the world as it embarked on a process of Digital Transformation to streamline its domestic and international business.

The bank provides a fully integrated suite of financial products and services including retail, business and institutional banking, funds management, insurance, investment and brokerage services, and has more than 1,000 branches worldwide, 5,000 ATMs, over 50,000 employees, and millions of customers.

The head of the Application Security (AppSec) organization at the bank was responsible for establishing and executing the bank’s AppSec capabilities and integrating security in software development. Over the last few years, the AppSec team has depended on static tools to ensure the security of the software they develop in-house.

Changes in technology and the evolving threat landscape had motivated the bank to boost its defenses - requiring a cost effective, automated AppSec testing solution that addresses all their major issues.

Digital Transformation

The changing technology challenges that the bank faced could be attributed to “Digital Transformation” - with software at the heart of this major shift. The bank had utilized the latest software methodologies to transform the way they ran their businesses – better customer experiences, business efficiencies, time and cost optimization. Most importantly, the bank wanted to stay relevant and competitive in the changing digital environment.

As part of its brand and reputation, the bank delivers seamless customer experiences, in smart and innovative ways and has a reputation for excellent customer experiences, service and leadership. As part of its growth strategy, the company recognized that it needed to effectively navigate the rapid business and digital transformations that were taking place.

Integrating Agile with DevOps

The organization’s software had been developed and released at an increasingly rapid pace since the development team had combined Agile sprints with DevOps methodologies. As a result, the bank innovated faster, realized greater efficiencies and differentiated its products and services.

But, continually rolling out software at a faster rate introduces potential vulnerabilities and greater business risk. It became key for the bank to manage and balance between speed and risk.

The head of the AppSec team found that some of the bank’s current AppSec tools and processes were inadequate in addressing the issues that he faced.

That gap was placing a strain on the workload of his developers:

  • Code release delays caused by traditional Static (SAST) and Dynamic (DAST) Application Scanning Tools
  • Scalability concerns using scanning tools for every single release
  • Manual testing delays in development
  • Time-consuming in developer training and education

It was clear to the bank that they needed to move toward more Agile security processes.

We compared offerings from several leading AppSec testing suppliers. Contrast Security proved to be the most attractive, being the right tool for the right job.

Head of Application Security

The ease of using Contrast Assess allowed the team to seamlessly integrate into their Agile and DevOps SDLC processes while enhancing their current security posture.

Contrast Assess provided highly accurate results for developers without the dependence on experts for triage.

Developing Secure Code

The bank currently has over 4,000 developers - comprised of internal staff, third parties and outsourced consultants including Penetration Testers (pen testers). These groups focus on the continuous development, release, maintenance, and security of thousands of applications. The applications are a combination of internally developed software and off the shelf Open Source Software (OSS).

The bank had been rapidly moving toward using microservices for the platforms used by the banks numerous business units. The platforms are used across multiple business units and composed of numerous microservices - these include the bank’s Flagship customer retail banking internet platform, as well as their business banking and digital asset platforms.

Users really like and rely on the Contrast product heavily. Since developers have been using Contrast and learning more about application security vulnerabilities, we have seen a significant reduction in the number of identified vulnerabilities. Contrast gives us a much greater assurance about the quality and security of our code.

Integrating Security with Agile

The organization realized that software releases can be negatively impacted if code vulnerabilities are identified toward the end of the SDLC. This adds to increased delays and significant cost to remediate. At the bank, security practices need to keep pace with software development in Agile and DevOps environments. This shifts security from being a bottleneck to an enabler.

Contrast has provided the bank with security that ts with continuous integration and delivery (CI/CD), microservices and other development processes.

We wanted to automate and streamline our application security testing without having it slow us down in our continuous development environment.


By intersecting development, security, and operations, the bank successfully implemented a continuous and efficient way to roll out secure code. Furthermore, the software can now be created and deployed much faster, without compromising security – at the speed of Agile and DevOps.

The bank can now focus on remaining highly agile, developing quality code while mitigating software risk.

Customer Business Benefits:

  • Code created is highly secure before it is released into production environments
  • Reduction in pen testing costs through optimized processes
  • AppSec team is able to deliver software security on a broader scale, and for a much lower cost, than when using legacy SAST and DAST tools.
  • Application Security fits seamlessly into Agile and DevOps processes
  • Enabled and educated the development team by merging security with quality coding
  • Increased code quality and overall performance of their developers

Reading on the go?

Download a PDF of this case study to save it for later.
Download PDF

Discover how easy it is to spot and stop attacks.

See what the new era of self-protecting software looks like. Schedule your live demo.