There’s no debate. Application security is a must. However, delivering vulnerability-free software at speed and scale isn’t easy. Just ask Francis Juliano, CTO at Bidpath, one of the world’s leading online auction platforms. Because Bidpath relies on software to run their business, Juliano has faced a number of common application security (AppSec) challenges—just like other industry professionals around the globe.
There are a lot of bumps in the road to better AppSec, which means finding the proper strategies and tools to avoid them is key. These security challenges are not insurmountable, but they do require some thoughtful navigation. For Bidpath, finding an effective path to better security made all the difference.
Here are 4 challenges you will likely encounter on your journey to better application security:
1. Distributed and Diverse Development Teams and Systems
You’ve got programmers, developers, QA professionals and others, all in different locations and time zones, who work on various parts of your software. Aside from scattered teams, you’ve also got development components, such as code libraries and more, all of which need to be scanned.
Corralling all those moving parts is hard enough, let alone ensuring they’re all using consistent, secure coding and management practices. You need to build security and control into the entire process, without adding burdens that slow progress or exhaust resources. And this is precisely what Bidpath did. They built a comprehensive AppSec program that’s integrated across the SDLC, explicitly to scale up security and increase developer productivity.
2. Multiple Scanning Tools and Crippling Number of Alerts
You’ve got a workbench of tools in your AppSec arsenal to ensure scanning coverage across all stages of the SDLC. The problem is, each security scanner executes and generates vulnerability information in its own way.
Each tool operates independently, but addressing the cacophony of outputs from each tool individually is inefficient and creates duplicate work. Moreover, you’ve got to collect all that data manually, then correlate, evaluate and prioritize the results. As we know, this work takes time. A lot of time. To remain competitive, security teams need a streamlined way to quickly and easily find and fix vulnerabilities. Using ZeroNorth, Bidpath was able to easily correlate 10,000 to 20,000 issues into a single page, allowing them to quickly and confidently address all remediation recommendations.
3. Blind Spots
You need oversight to ensure your development practices are, in fact, supporting your security posture. This involves a lot of questions: Is scanning happening consistently and pervasively? Are all systems fully patched and updated? Are you performing vulnerability tests both inside and outside the firewall? How sure are you really that the software you release is secure? Without a real-time, holistic view of your security posture, you’re operating in the dark.
Using ZeroNorth, Bidpath gained the visibility needed to answer these questions, as well as save considerable time and budget.
4. Customer Demands
Customers today are now demanding application security alongside new features and functions. Most RFPs today include security requirements, sometimes with extremely detailed specifications. Prospects have been known to reject a software product based on security criteria alone. But meeting these requirements is much more than an RFP box-checking exercise.
Bidpath wanted to assure its customers that all the software it rolls out will be free from vulnerabilities. It’s part of the trust they build and the support they offer to foster loyalty and grow their business. With ZeroNorth in place, Bidpath can respond more easily to any application security requirements—from governing bodies to prospects to anyone else.
The Journey to Application Security