Envestnet | Yodlee is a leading data aggregation and data analytics platform powering dynamic, cloud-based innovation for digital financial services. More than 1,000 companies, including 13 of the 20 largest U.S. banks and hundreds of Internet services companies, subscribe to the Envestnet | Yodlee platform to power personalized financial apps and services for millions of consumers. Envestnet | Yodlee solutions help transform the speed and delivery of financial innovation, improve digital customer experiences, and drive better outcomes for clients and their customers.
Saran Makam is the Director of Application Security at Envestnet | Yodlee, leading a team of global security professionals. Saran is responsible for managing the Application Security Program for multiple products and making sure that application security is integrated within the Software Development Life Cycle (SDLC).
Our legacy AppSec tools require manual efforts to scan and triage an enormous and unmanageable number of false positives. We needed our Appsec Engineers to concentrate on targeting the real vulnerabilities in the code and xing them quickly. Contrast Security allowed the Appsec Engineers to have a much better level of visibility and accuracy in pinpointing key software application vulnerabilities.
Director of Application Security
When it comes to financial services and innovation, security is paramount. That’s why Envestnet | Yodlee considers the impact to every key stakeholder to ensure that every product on its platform meets the most stringent security and compliance requirements.
Envestnet | Yodlee adheres to leading financial industry practices for security, privacy, risk, and compliance management. As a Federal Financial Institutions Examination Council (FFIEC) supervised Technology Service Provider, Envestnet | Yodlee follows strict security and risk management standards required to engage with consumers and their financial data. The company is supervised and examined by the Office of the Controller of Currency (OCC) and all major banking regulators, and has undergone nearly 200 audits by financial institutions over a recent 24-month period.
A key part of Envestnet | Yodlee’s security posture is a dedicated independent application security program integrated with its development and release lifecycle.
The company periodically conducted code reviews to make sure there were no vulnerabilities. Saran and his team wanted a better solution that could reduce the number of false positives because triaging them wasted time and reduced efficiency. The team desired a security solution that could scale, augment and seamlessly integrate with the current toolset.
Envestnet | Yodlee requires an application security framework which is repeatable, scalable, and can find and remediate vulnerabilities by using the best software security solutions. My team reviewed multiple vendors and chose Contrast Security because their solution was well received by our development and security teams, and because it works continuously and in real-time in the cloud with AWS.
Envestnet | Yodlee has over 250 developers focused on continuous improvement, development, and security of its platform.
Envestnet | Yodlee adopted Agile development and DevOps methods with the aim of getting the software to market quicker. To build on that, they also chose to adopt a “DevSecOps” approach.
The intent of adopting a DevSecOps methodology is to execute on the belief that security and development teams are jointly responsible for bolstering security – essentially bringing development and operations together. This methodology introduces security much earlier in the application development lifecycle and minimizes vulnerabilities by weaving together development and security.
Companies adopting Agile and DevOps have discovered that even as they are moving toward more frequent code releases, software security tools have not kept pace with those approaches. Legacy tools cannot operate at the speed that DevSecOps requires. As a result, security has traditionally been left behind - viewed as a roadblock to rapid application development and not typically tied to Agile processes.
In high speed organizations and in an ideal world, developers need to constantly check in code and get feedback immediately. Contrast has been a huge step forward in moving this much closer to reality.
Contrast Assess was also used to supplement Envestnet | Yodlee’s Penetration Testing tools. Contrast’s dashboard and reports were shared with internal Penetration Testing team members. These highlighted key vulnerabilities and provided immediate and actionable recommendations to triage.
Contrast Security utilizes the AWS Core Cloud Services such as EC2, Auto Scaling Groups, VPC, and RDS to provide High Availability and Elastic Scalability to meet our customers changing security workloads. Our customers have challenging requirements when choosing a security solution and our partnership with AWS allows us to provide the performance and compliance requirements our customers demand.
We used Contrast along with our other penetration testing tools. The Contrast reports highlighted vulnerabilities found in the code that we shared with the group. This really helped rapid application development.
Customer Business Benefits: