Contrast Security

In 2014, Unit4, a provider of next-generation enterprise solutions, embarked on a large-scale digital transformation. The company aimed to adopt the DevOps methodology, consolidate various software solutions developed for different markets, streamline application security and quality control efforts, and transition to a cloud-based delivery model for all its products. A centralized quality assurance group was formed to ensure a consistently high level of quality across the entire portfolio. However, each product operated in a silo with its own development and quality assurance functions, using different methodologies and tools. Application security was part of this piecemeal approach. The company had a group of security experts implementing the main security layers at the core-level technical platform level. However, the process was manual and required a lot of customization, which was not sustainable for the company's digital transformation.

Tillster, a global leader in self-service digital ordering, faced the challenge of improving and simplifying its application security. The company needed to incorporate a more active and dynamic vulnerability assessment system to ensure the security of its applications. The challenge also included providing guidance to Tillster’s DevOps team to achieve optimal protection within the entire Software Development Life Cycle (SDLC). The company had to balance internal and external practices, comply with OWASP’s top 10 application security risks and mobile application guidelines, and run scans and penetration tests to meet PCI standards. Patch management was critical for keeping Tillster’s applications safe, as 99% of software exploits are based on known vulnerabilities. Furthermore, Tillster had to deliver secure software on schedule, ensuring that security issues did not cause delays and that the software in production did not pose a risk to restaurants or consumer data.

The case study revolves around a large retail and e-commerce company with over 25,000 employees and $5 billion in revenue in the financial year 2015-16. As the company's e-commerce platform became a leading sales channel, it transitioned to an agile development process, moving from 6-week release cycles to 3-week cycles to accelerate innovation. However, the rapid release cycles demanded an intense focus on security to avoid brand damage and customer data loss. The company's existing application security products were a disruption to the release cycle schedule, forcing all those involved in the Software Development Life Cycle (SDLC) to reprioritize their work. The Application Security manager found himself in the critical path for every production deployment, outnumbered in the entire process. The company's traditional application security was done at the integration testing phase, which was one step before the application was released to production. The process either added significant 'rework cost' or postponed security fixes to a later application release.

Envestnet | Yodlee, a leading data aggregation and data analytics platform for digital financial services, faced the challenge of seamlessly and cost-effectively aiding developers in identifying and fixing application security vulnerabilities within their code early in the Software Development Life Cycle (SDLC). The company also aimed to reduce the burden that development and security practitioners encounter by reducing the number of false positives reported. As a fintech company, security is paramount for Envestnet | Yodlee, and they needed to ensure that every product on its platform met the most stringent security and compliance requirements. The company periodically conducted code reviews to ensure there were no vulnerabilities, but they wanted a better solution that could reduce the number of false positives, as triaging them wasted time and reduced efficiency. They also desired a security solution that could scale, augment and seamlessly integrate with the current toolset.

The North American insurance subsidiary, a part of a global group that ranks among the world’s top providers of both commercial and property/casualty insurance, faced several challenges in its application security. The company wanted to increase awareness among developers about application security risk and safe-coding practices, enable discovery and remediation of vulnerabilities with minimal delays to the development process, reduce the backlog of unaddressed high-risk vulnerabilities, and roll out a global solution to all internal business units and groups. The company's existing application security processes were unsustainable. Vulnerability scanning with the legacy static application security testing (SAST) tool often took hours at a time, and many of the alerts in each report turned out to be false positives, wasting precious time and potentially delaying release cycles.

Floor & Decor, a rapidly growing retailer with over 200 locations and $3 billion in annual revenue, faced the challenge of ensuring comprehensive security for its retail business and development environments. The company needed to protect its business operations, particularly customer data, from potential security threats. The challenge was to implement a solution that could provide robust security for its retail stores and point-of-sale (POS) systems, while also managing strong growth. The company needed to limit false positives and scan for threats and intrusions faster, more seamlessly, and in real-time. The company also sought to reduce the time spent on identifying and handling security vulnerabilities, which was consuming significant staff time and resources.

CM.com, a global leader in cloud software for conversational commerce, was struggling with its application security strategy. The company's primary application security strategy consisted of penetration testing and static application security testing (SAST). However, these tools consumed considerable time on the part of both the security team and the development teams. The reports generated from these tests had to be analyzed by the security team, and a ticket would be created for each vulnerability that needed to be fixed. This process often resulted in days of delay before developers received feedback on what to do. These security-related delays created friction in the development process and increased complications and delays tied to fixing vulnerabilities that were identified in the process. They also resulted in resentment on the part of developers. Furthermore, the scan and penetration reports revealed that there was a great deal of room for improvement in the quality of the outputs of the development process.

One of the world's top 10 banks was undergoing a digital transformation to streamline its domestic and international business. The bank, with over 1,000 branches worldwide, 5,000 ATMs, over 50,000 employees, and millions of customers, was facing challenges in integrating security into its software development process. The bank's Application Security (AppSec) team had been relying on static tools to ensure the security of the software they developed in-house. However, changes in technology and the evolving threat landscape necessitated a more robust, automated AppSec testing solution. The bank was also rapidly moving towards using microservices for its platforms, which were used across multiple business units. The bank's software had been developed and released at an increasingly rapid pace since the development team had combined Agile sprints with DevOps methodologies. This fast-paced rollout of software introduced potential vulnerabilities and greater business risk. The bank's current AppSec tools and processes were found to be inadequate in addressing these issues, causing code release delays, scalability concerns, manual testing delays in development, and time-consuming developer training and education.

Kaizen Gaming, a leading GameTech company, faced significant challenges in its application security. The company's large development operation, which includes 28 fully staffed Scrum teams, was struggling with late identification of vulnerabilities in the software development life cycle (SDLC). This late detection resulted in remediation work being pushed to the end of the development process, causing extra work and stress. The company's reliance on penetration testing did not provide real-time, holistic observability into Kaizen’s overall application portfolio, leading to blind spots and inefficiencies. The company needed an automated, efficient, and scalable solution that could catch vulnerabilities earlier in the process without slowing down their developers. Additionally, the financial team preferred a pricing model that charges by the application rather than by the developer due to the company's large development team and tight margins.

The digital healthcare company was facing a challenge of business and technology innovation being hampered by traditional legacy security and infrastructure tools. The company required a solution that could quickly and seamlessly accelerate the company’s digital future by migrating securely to a cloud infrastructure. The company was also facing the challenge of solving the healthcare access problem. With approximately 6 million patients visiting the company per month to schedule and book doctor appointments, they needed to adapt, innovate, and modernize the healthcare industry by providing a frictionless healthcare experience for healthcare practitioners and for the 21st century patient. The company initially focused on private healthcare practices and building a technology solution optimized for that specific use case. They experienced early success, building momentum, and critical mass. The company soon realized that there was a significant opportunity to turn its focus and expand to a larger piece of the healthcare system by addressing the changes in healthcare demands.

The financial services firm in question was facing significant challenges in achieving comprehensive application security test coverage for its entire software portfolio. The existing application security tools were proving to be inaccurate and ineffective, leading to developer disengagement, product delays, and negative business impacts. The IT Security team was primarily focused on network security, relying on perimeter security solutions to protect their applications and data. The application development team had minimal involvement in application security, and the training they received did not keep pace with advances in application development and hacking. The security team lacked the visibility needed to work efficiently and effectively, with their scanner tool reporting many false positives and lacking the necessary information for developers to find and fix errors. The existing tools and processes were preventing a complete security analysis of their applications, delaying the delivery of new business-critical software functionality.

The U.S. based regional credit union, serving nearly 100,000 customers in rural communities, was facing challenges in delivering and securing modern software applications to protect customers’ private financial data. Prior to working with Contrast Security, the credit union’s application security efforts were ad hoc with periodic penetration testing and content analysis highlighting issues post-development. The credit union’s developers produce a significant amount of custom code that they release relatively frequently. Identifying vulnerabilities with traditional scanning tools was a challenge, as the tools generated a high number of false positives. The company also wanted to deploy Contrast in Dev/QA in order to identify potential vulnerabilities early in the SDLC and create a baseline. Additionally, prior to the installation of Contrast Protect, the credit union was potentially vulnerable to attacks.