Contrast Security > Case Studies > Improving Security and Efficiency while Reducing Risk: A Case Study on CM.com

Improving Security and Efficiency while Reducing Risk: A Case Study on CM.com

Technology Category

Application Infrastructure & Middleware - Middleware, SDKs & Libraries
Cybersecurity & Privacy - Application Security

Applicable Industries

Equipment & Machinery
National Security & Defense

Applicable Functions

Product Research & Development
Quality Assurance

Use Cases

Cybersecurity
Tamper Detection

Services

Cybersecurity Services
Testing & Certification

About The Customer

CM.com was founded in 1999 by Jeroen van Glabbeek and Gilbert Gooijers as ClubMessage. The company introduced group SMS messaging to the marketplace. Early customers included discotheques in the Benelux region, which engaged with their customers by texting out information about guest DJs, timetables, contests, discounts, and more weekend news. More than two decades later, CM.com has become a global leader in cloud software for conversational commerce that enables businesses to deliver a superior customer experience. Their communications and payments platform empowers marketing, sales, and customer support to automate engagement with customers across multiple mobile channels, blended with seamless payment capabilities that drive sales, gain customers, and increase customer happiness.

The Challenge

CM.com, a global leader in cloud software for conversational commerce, was struggling with its application security strategy. The company's primary application security strategy consisted of penetration testing and static application security testing (SAST). However, these tools consumed considerable time on the part of both the security team and the development teams. The reports generated from these tests had to be analyzed by the security team, and a ticket would be created for each vulnerability that needed to be fixed. This process often resulted in days of delay before developers received feedback on what to do. These security-related delays created friction in the development process and increased complications and delays tied to fixing vulnerabilities that were identified in the process. They also resulted in resentment on the part of developers. Furthermore, the scan and penetration reports revealed that there was a great deal of room for improvement in the quality of the outputs of the development process.

The Solution

To improve the application security architecture, CM.com decided to roll out a secure software development life cycle (SDLC) initiative. The company identified Contrast Security as a possible solution. Contrast Security offered a comprehensive DevSecOps approach with its automated Application Security Platform. This platform had the ability to continuously monitor application code using instrumentation. This allowed developers to receive immediate feedback when a vulnerability was detected, including actionable information about how to fix it. CM.com purchased licenses for Contrast Assess and integrated it into various development tools used by the development team. To overcome initial resistance from developers, CM.com added application security metrics to the key performance indicators (KPIs) by which developers were evaluated. The company also acquired a license for OSS to start working on securing their open-source libraries. With Contrast SCA, CM.com could see at a glance open-source code that is used by an application, what vulnerabilities exist in those active libraries and classes, and which libraries need to be updated.

Operational Impact

The deployment of the Contrast Application Security Platform has resulted in significant business value for CM.com. The company has seen tangible value in areas such as mean time to remediation (MTTR), with serious vulnerabilities identified earlier in the SDLC. The company has also seen efficiency gains in the full range of application security processes. The security team now spends less time analyzing SAST and penetration testing reports, and it is easier to produce compliance reports. These efficiency improvements have translated into faster development cycles for CM.com. The company has also seen cost savings due to its Contrast deployment, with a recent downturn in the amounts paid to security researchers through CM.com’s bug bounty program. The use of Contrast SCA has also resulted in less time spent on triaging and diagnosing security alerts and remediating vulnerabilities. Overall, the secure SDLC initiative has been a huge success, with CM.com delivering highly secure applications while lowering costs and speeding up development.

Quantitative Benefit

Mean time to remediation (MTTR) reduced significantly due to continuous scanning and remediation help
Developer time for remediating vulnerabilities decreased significantly through catching vulnerabilities earlier in the SDLC
Projected faster development cycles due to fewer security-related delays