start portlet menu bar end portlet menu bar

What we achieved

  • Zero Configuration deployment process

  • Leveraged existing processes in the SDLC

  • Detailed security vulnerability records

To who

  • Industry: Information Technology

  • Products: HCL AppScan

  • Region: North America/US

Overview

  • Part 1

    Challenge

    Our customer was faced with the following business challenges:

    Improving the security protection of their products without disrupting the current SDLC process.

    Reducing the probability of a security issue that could delay shipping of new versions.
  • Part 2

    Solution

    Integrate IAST into the customer’s existing QA process and leverage automatic, manual and sanity tests to extend Application Security Testing (AST) coverage and transform DevOps to DevSecOps.
  • Part 3

    Results

    Improved AST coverage and remediation processes, due to informative records of security issues such as full call stacks and exploit examples that are reported by the IAST agent.

The Challenge

Business Case for IAST

The company was already utilizing DAST as part of their SDLC, mostly in the late stages. This common practice provided good results, but had several downsides to it:

  • When a significant security vulnerability was discovered, it caused a delay in the release, since DAST was introduced as one of the last steps before a new version was shipped. Remediation efforts for security vulnerabilities were high due to the DAST scanner's less detailed information.
  • There was a significant time gap between writing the code and discovering vulnerabilities.

quote icon

We were surprised by the deployment process. We were expecting something more complicated than deploying a WAR file to our Tomcat!

Technical Manager DevOps team

The Solution

Integrating IAST

The company has an extensive Quality Assurance (QA) process due to its codebase's size and complexity. The QA process includes automated and manual testing that ranged from simple sanity scenarios to complicated edge cases. Every new version also added more functionality, so further tests was introduced into the QA process.

The QA infrastructure is Docker-based and orchestrated using Jenkins. Since the team didn't want to change their existing containers, they decided to integrate IAST by using a simple script that utilizes AppScan's APIs to download and deploy the agent to the web server, after applications are successfully built and published.

The amount of information I receive per issue is beneficial for the prioritization and remediation process.

System Architect

The Results

Effects

A significant benefit that developers instantly reported was the amount of information the security vulnerabilities contained. Having the line of code that originated the issue, along with an example of an exploit that triggered it, reduced remediation efforts significantly. Since the QA process is adjacent to the development process, the code changes that resulted in new security vulnerabilities are fresh in developers minds when approaching to resolve security issues.

Another benefit that the security team reported was reducing issues detected in DAST scanning, since the QA process now helped to resolve issues earlier in the SDLC.

From a maintenance perspective, the Security and DevOps teams were impressed since integrating the IAST agent only requires a single straightforward script, and the agent itself is evergreen (meaning that it updates automatically). Another great thing is that the QA team can keep adding new tests for every new functionality it develops, keeping AST coverage up to date with every new version. The process keeps improving as a byproduct of the SDLC itself.

About the company

Due to the cybersecurity domain's sensitive nature, the company requested to stay anonymous in this particular case study. The company is a software company in the IT e market that provides services to SMBs and large enterprises.

The technology stack used in this case study is:

  • Java
  • Tomcat
  • Docker
  • Jenkins
Download Story

Related Capabilities

Business & Industry Applications

Business & Industry Applications

조직의 효율성에 대한 새로운 벤치마크를 설정하도록 설계된 강력한 비즈니스 애플리케이션입니다. 마케팅, 전자 상거래, 가치 사슬 및 행동 인사이트를 포괄합니다.

더 알아보기
AI and Intelligent Operations

AI and Intelligent Operations

단순성, 보안 및 사용 편의성과 결합된 AI 및 자동화는 정보에 입각한 의사 결정을 내리고, 시장 트렌드를 예측하며, 민첩성과 효율성을 전례 없는 수준으로 향상하도록 지원합니다.

더 알아보기
Cybersecurity

Cybersecurity

애플리케이션부터 엔드포인트에 이르기까지 안전한 DevOps 및 규정 준수를 제공하는 취약성 탐지, 완화 및 조치방안 솔루션입니다.

더 알아보기
Data and Analytics

Data and Analytics

데이터 패턴과 시장 분석을 통해 결과를 예측하고, 고객을 프로파일링하고, 운영을 최적화하며, 새로운 기회를 파악하도록, 복잡한 데이터를 명확하고 실행 가능한 인사이트로 추출하는 데 필요한 도구입니다.

더 알아보기
Total Experience

Total Experience

TX 소프트웨어는 조직이 직면하고 있는 가장 복잡한 과제를 해결하기 위해 최고의 기술을 상호 연결하여 고객 경험(CX), 직원 경험(EX), 사용자 경험(UX) 및 다중 경험(MX)을 통합합니다.

더 알아보기
sovereign-collaboration

Sovereign Collaboration

Sovereign Collaboration 소프트웨어는 데이터보다 자율성을 전략적으로 우선시합니다. 우리는 민감한 정보의 중요성을 이해하고 이를 보호하기 위한 안전하고 유연한 솔루션을 설계했습니다.

더 알아보기

Related Success Story

See all Success stories >