Customer Success

Envestnet | Yodlee

Weaving Application Security into the Software Development Life Cycle

Application-Security-Yodlee_72.png

Organization Snapshot

Industry: Digital Financial Services

Challenge: Seamlessly & cost effectively aid developers in identifying & fixing application security vulnerabilities. 

Solution: Contrast Assess aids Envestnet | Yodlee’s development & application security teams by weaving security into DevSecOps.

"We used Contrast along with our other penetration testing tools. The Contrast reports highlighted vulnerabilities found in the code that we shared with the group. This really helped rapid application development."
Saran Makam
Director of Application Security

Overview

Envestnet | Yodlee is a leading data aggregation and data analytics platform powering dynamic, cloud-based innovation for digital financial services. More than 1,000 companies, including 13 of the 20 largest U.S. banks and hundreds of Internet services companies, subscribe to the Envestnet | Yodlee platform to power personalized financial apps and services for millions of consumers. Envestnet | Yodlee solutions help transform the speed and delivery of financial innovation, improve digital customer experiences, and drive better outcomes for clients and their customers.

Saran Makam is the Director of Application Security at Envestnet | Yodlee, leading a team of global security professionals. Saran is responsible for managing the Application Security Program for multiple products and making sure that application security is integrated within the Software Development Life Cycle (SDLC).

Our legacy AppSec tools require manual efforts to scan and triage an enormous and unmanageable number of false positives. We needed our Appsec Engineers to concentrate on targeting the real vulnerabilities in the code and xing them quickly. Contrast Security allowed the Appsec Engineers to have a much better level of visibility and accuracy in pinpointing key software application vulnerabilities.

Saran Makam
Director of Application Security

Security and Digital Financial Innovation

When it comes to financial services and innovation, security is paramount. That’s why Envestnet | Yodlee considers the impact to every key stakeholder to ensure that every product on its platform meets the most stringent security and compliance requirements.

Envestnet | Yodlee adheres to leading financial industry practices for security, privacy, risk, and compliance management. As a Federal Financial Institutions Examination Council (FFIEC) supervised Technology Service Provider, Envestnet | Yodlee follows strict security and risk management standards required to engage with consumers and their financial data. The company is supervised and examined by the Office of the Controller of Currency (OCC) and all major banking regulators, and has undergone nearly 200 audits by financial institutions over a recent 24-month period.

A key part of Envestnet | Yodlee’s security posture is a dedicated independent application security program integrated with its development and release lifecycle.

Stop Chasing False Positives

The company periodically conducted code reviews to make sure there were no vulnerabilities. Saran and his team wanted a better solution that could reduce the number of false positives because triaging them wasted time and reduced efficiency. The team desired a security solution that could scale, augment and seamlessly integrate with the current toolset.

Envestnet | Yodlee requires an application security framework which is repeatable, scalable, and can find and remediate vulnerabilities by using the best software security solutions. My team reviewed multiple vendors and chose Contrast Security because their solution was well received by our development and security teams, and because it works continuously and in real-time in the cloud with AWS.

Transitioning to DevSecOps

Envestnet | Yodlee has over 250 developers focused on continuous improvement, development, and security of its platform.

Envestnet | Yodlee adopted Agile development and DevOps methods with the aim of getting the software to market quicker. To build on that, they also chose to adopt a “DevSecOps” approach.

The intent of adopting a DevSecOps methodology is to execute on the belief that security and development teams are jointly responsible for bolstering security – essentially bringing development and operations together. This methodology introduces security much earlier in the application development lifecycle and minimizes vulnerabilities by weaving together development and security.

Companies adopting Agile and DevOps have discovered that even as they are moving toward more frequent code releases, software security tools have not kept pace with those approaches. Legacy tools cannot operate at the speed that DevSecOps requires. As a result, security has traditionally been left behind - viewed as a roadblock to rapid application development and not typically tied to Agile processes.

In high speed organizations and in an ideal world, developers need to constantly check in code and get feedback immediately. Contrast has been a huge step forward in moving this much closer to reality.

Supporting Penetration Testing

Contrast Assess was also used to supplement Envestnet | Yodlee’s Penetration Testing tools. Contrast’s dashboard and reports were shared with internal Penetration Testing team members. These highlighted key vulnerabilities and provided immediate and actionable recommendations to triage.

We used Contrast along with our other penetration testing tools. The Contrast reports highlighted vulnerabilities found in the code that we shared with the group. This really helped rapid application development.

Contrast Security utilizes the AWS Core Cloud Services such as EC2, Auto Scaling Groups, VPC, and RDS to provide high High Availability and Elastic Scalability to meet our customers changing security workloads. Our customers have challenging requirements when choosing a security solution and our partnership with AWS allows us to provide the performance and compliance requirements our customers demand.

Contrast Security utilizes AWS Encryption Services, such as Key Management Services and Amazon Certificate Manager to keep data confidential in transit and at rest. Contrast Security also leverages AWS Lambda serverless solutions to build cloud native products that power data intelligence feeds to our customers worldwide.

Results

Customer Business Benefits:

  • Significant reduction in the number of time-wasting false positives
  • Increased developer productivity through a reduced test-fix-redeploy cycle times
  • Security woven into daily coding practices
  • Reduced Penetration Testing costs
  • Accelerated software time-to-market

As a fintech company, increasing the number of accounts and elevating the customer experience are a major focus for Envestment | Yodlee. By using Amazon Web Services (AWS), the company was able to achieve these goals with the flexibility, reliability and scalability that AWS provided. The AWS offerings have helped the company launch and integrate new applications quickly and effectively, accelerating time-to-market and providing a key competitive advantage. Implementing Contrast Assess as part of their DevSecOps initiatives enabled Envestment | Yodlee to further integrate security into existing Agile and DevOps workflows and tools. In turn, that allowed Envestment | Yodlee to bring their secure financial software solutions to market faster and with greater confidence.

Reading on the go?

Download a PDF of this case study to save it for later.
Download PDF
cta-background-image.png

Discover how easy it is to spot and stop attacks.

See what the new era of self-protecting software looks like. Schedule your live demo.
Get Demo