The online gaming industry is projected to grow at a compound annual growth rate (CAGR) of 12.9% between now and 2027. This rapidly growing industry segment offers cyber criminals a broad attack surface to steal personally identifiable information (PII) and other forms of personal and financial data as well as to disrupt critical operations.
Just a quick glance at some of the cyber-threat intelligence in the industry reveals a serious problem:
- - There are almost one million compromised accounts from 25 leading gaming companies on the Dark Web—from employee to client-facing data.
- - Web applications in the video gaming industry experienced 152 million probes and attacks between 2018 and last year.
- - Four ransomware attacks involving gaming companies were instigated in late 2020 that resulted in serious exposure—VPN credentials, Jira access, web applications, and more.
Cybersecurity must be front and center for any media and entertainment company in the gaming industry. For those offering media, entertainment, and gaming web applications, the importance of application security needs to ratchet up even further, with Verizon’s 2020 Data Breach Investigations Report highlighting that 43% of data breaches in the past year targeted application vulnerabilities.
Kaizen Gaming Embraces Digital Transformation
Leading European GameTech company Kaizen Gaming understands this challenge well. The company is headquartered in Athens, Greece—operating two primary brands, Betano and Stoixman—and supporting both casino and sports games in six countries in Europe and Latin America. Recognizing the importance of digital transformation acceleration, Kaizen uses the Agile methodology and currently runs 28 fully staffed Scrum teams. Its web application primarily uses .NET Core and .NET Framework.
Manual Legacy Application Security Evolves To Automation and Instrumentation
Application security has always been a priority at Kaizen—and especially for Aggelos Karonis, the company’s technical security manager. When he arrived at Kaizen, the company conducted vulnerability assessments of applications using a penetration testing tool and a dynamic application security testing (DAST) tool in the testing and production phases of the software development life cycle (SDLC).
And while penetration testing is a mandatory requirement for Payment Card Industry (PCI) compliance, it pushes application security into testing and does not provide real-time observability into the overall application portfolio. For Kaizen, vulnerabilities would be detected in the final review process, and their remediation and verification of remediation consumed valuable time.
Karonis and his team went in search of an alternative application security solution and ended up evaluating 10 different solution options. They originally thought they needed a static application security testing (SAST) solution but ended up settling on Contrast Assess instead. With security embedded within software using sensors, Contrast Assess provides Kaizen with continuous, real-time security observability. For enhanced capabilities and efficiencies, Karonis and his team seamlessly integrated their Jira project management and Slack communication tools into Contrast Assess. In addition to using Contrast Assess in development, Karonis’ team uses it to test applications in production.
Measuring the Business Value of Contrast
One advantage of the Contrast solution is that application security is continuous—in contrast with penetration testing and DAST that were periodic. This enables Kaizen to improve its application risk posture. Indeed, when Contrast Assess was deployed, Karonis’ team identified five vulnerabilities out of the gate that had not been caught with penetration testing.
Reporting for compliance requirements also is significantly easier for Kaizen—whether for the board, executive management, or auditors. Each time a report was needed, it would take upwards of one day to pull figures and another day and a half to create a format that could be consumed. Now, Karonis notes it happens with a click of a button.
The amount of time the application security team required to interpret penetration test results and provide feedback to developers was also significantly reduced. And while it is still too early for Karonis to pinpoint how much time is being saved, he notes that it is significant.
Vulnerabilities are also being resolved faster. Karonis indicates mean time to remediate (MTTR) has been reduced 15 days, a number that he anticipates will lower further.
Kaizen Looks to the Future With Contrast Security
Looking to the future, Karonis sees plans to leverage additional components of the Contrast Application Security Platform. The development team currently leverages hundreds of open-source libraries and frameworks, and Contrast OSS will enable Kaizen to bolster and automate risk management for those elements. Cloud and microservices are also on the horizon, and Contrast will seamlessly extend application security to those as well.
Further Information on Kaizen and Contrast
Readers interested in learning more about Kaizen Gaming and how the company uses the Contrast Application Security Platform and the benefits achieved can download a copy of the case study and listen to the Inside AppSec podcast interview with Karonis. He is also featured as a guest panelist in a recent webinar on the State of DevSecOps.
Case Study: Kaizen Gaming Bets on Application Security Observability
Inside AppSec Podcast: Kaizen Gaming Embraces Security Instrumentation, Sees Tangible Returns
Webinar: Why DevSecOps Is Challenged By Modern Software Development