CUSTOMER SUCCESS
Achieve Complete Application Security Test Coverage for the Entire Software Portfolio
Developers Love Application Security at Financial Service Firm
industry
Financial Services
Location
United States
challenge
Existing application security tools were inaccurate and ineffective, causing developer disengagement, product delays, and negative business impacts.
Having Contrast lets you continuously address application security, and changes the landscape of secure application development. I am glad we chose Contrast...the company. Not only is the product impressive, but the support has been outstanding, If you work like this with all your customers, I don't know when you have time to sleep!"
Garrett
Application Development Manager
Challenge
Software application security has always been a top priority in all decisions for this financial services firm. A data breach would mean exposing customer data, potential financial losses for the company and its clients, and huge damage to the company’s reputation. Existing application security tools were inaccurate and ineffective, causing developer disengagement, product delays, and negative business impacts.
Disconnect Between Development & AppSec
Historically, the IT Security team at the firm was focused on network security, and relied on perimeter security solutions to protect their applications and data. They tested pre-production applications with third-party application security scanning tools and network penetration tests, late in the software development lifecycle (SDLC). The application development team had little-to-no involvement in application security.
They received annual training on secure coding best practices, but the training didn’t keep pace with advances in application development and hacking. Code scanning tools and manual code reviews were difficult to work with and disrupted their development process. Application security reviews would occur only once the application had been fully written. The development team was left uninformed, only to be blindsided by issues uncovered in the preproduction environment. Weeks – or even months – would elapse.
Inadequate Information for the Security Team
When it came to application security, the security team lacked the visibility needed to work efficiently and effectively. Their scanner tool reported many types of vulnerabilities in the application – mostly false positives – and the reports also lacked the information and guidance developers needed to find and fix errors. Developers needed insight into the numerous third-party libraries used in their applications, but existing tools provided very little information. Penetration tests also generated few relevant findings.
To close these gaps, the developers spent a tremendous amount of time going back and forth with the scanning tool vendor to help recreate issues – because their tool couldn’t locate vulnerabilities in the code. Once the team validated the real security issues, they then spent hours trying to research the vulnerabilities and identify fixes. They couldn’t be proactive or incorporate security into their standard operating processes, and this was frustrating.
Business Impacts
The existing tools and processes ultimately prevented a complete security analysis of their applications. Because the firm couldn’t deploy applications until they were known to be secure, these limitations delayed delivery of new business-critical software functionality.
Discovering Contrast Security
The Security Director at the company was researching software security alternatives when he saw a Contrast Assess demo at a trade show. He and his team were impressed by the product’s unique approach to finding and presenting vulnerability data in a way that was understandable by both developers and the security team. Contrast Assess works from within the application, without requiring any configuration changes.
Its quick and easy installation, detailed dashboard, and real-time, continuous approach solved many of the application security challenges they were facing. To accelerate deployment and simplify ongoing operations, they decided to onboard the SaaS version of Contrast Assess.
“I am not a deer in the headlights, like I used to be. Since deploying Contrast, I have been able to stay informed and keep my team on top of security.”
– Garrett, Application Development Manager
Results
Using Contrast’s continuous security testing, the application development team has improved the security of their applications and can provide predictable delivery – without adding headcount or expertise to the team. Real-time results allow developers to fix problems as they come up throughout the development process, rather than waiting until the end and hoping the scans don’t find anything. The application development manager, Garrett, now keeps the entire development team informed and in control of his applications’ security status by using the visibility provided by Contrast.
Access to detailed, actionable information – where vulnerabilities come from, why they are important, and how to fix them – keeps his team at the forefront of security. They are no longer consumers, but owners of their applications’ security.
The insight Contrast Assess provides into custom and third-party code helps the development team identify which libraries have vulnerabilities and whether their firm’s applications are using vulnerable code within those libraries; this had been a major blind spot with their old scanning tool.
Contrast’s code-level guidance has helped the development team nearly eliminate vulnerabilities introduced in the later stages of the SDLC. Contrast has also reduced vulnerability resolution time from weeks and months to hours.
“There is no more ‘Release. And wait. And hope," the Application Development Manager added.
Secure your apps and APIs from within
Schedule a one-to-one demo to see what Contrast Runtime Security can do for you