Working on a transformational technology project under time and budget constraints, this innovative financial organization was building new applications to address the mobile banking and eBanking needs for its hundreds of thousands of customers. Operating in a sensitive and highly regulated financial industry, the organization’s security team also needed a proactive approach to security to protect sensitive customer and financial data.
The banking organization, which operates as a technology company, was searching for a best-in-class end-to-end AppSec solution provider to implement a robust application security program, and needed to quickly scale application security for hundreds of its applications. The company faced several challenges.
We love the fact that WhiteHat Dynamic is production safe, [enables us to] do authenticated scanning, and above all that ALL of the findings are verified and we are 99% false positives–free."
Application security manager
|Financial firm
Synopsys demonstrated that it provided the most comprehensive and industry-proven dynamic application security testing (DAST) solution. WhiteHat™ Dynamic can monitor and scan hundreds of applications in production 24/7 in a production-safe manner, and it provides the rich business logic assessment that the organization needed to confidently release its applications to its customers.
Given the size and complexity of the project, Synopsys proposed a comprehensive AppSec portfolio and later added WhiteHat Auto API. The organization’s application security team scaled its program with a suite of Synopsys solutions.
A phased approach to implementing AppSec solutions into the organization’s software development life cycle, and monitoring the right set of metrics resulted in a sustainable and scalable approach to implementing application security.
Unlimited DAST assessments enabled an accurate window into the true risk surface of the organization’s hundreds of applications. Since WhiteHat is designed for production-safe scanning, the security team was able to scale continuous risk assessments to hundreds of applications, saving time and cost without any downtime.
In addition, developer education and a direct feedback loop with Synopsys security experts has met the evolving needs of development teams.
One of the biggest challenges for this organization was dealing with a huge volume of AppSec findings and remediation tasks, which meant triaging a growing number of false positives. WhiteHat proved to be an ideal solution as the organization’s risk surface expanded with numerous interconnected applications. By discovering, categorizing, and prioritizing the biggest risks first, teams gained a strategic, targeted plan to address the most vulnerable apps in production.
Synopsys security experts reviewed scan configurations to ensure that the scan would accurately reflect the architecture and data boundaries of the application or platform being scanned. These verified vulnerabilities virtually eliminated false positives, which reduced resource costs. Above all, faster and more accurate security vulnerability identification and remediation improved overall application security and ROI.
A huge accomplishment for the organization was reaching and maintaining 100% PCI compliance. The team was able to maintain an inventory of applications, ensure on-time scans and BLAs, and provide regular metrics showing progress toward the goals.
By seamlessly scaling and adding program management to the scope of work, the Synopsys Security Testing Services team developed a close working relationship with the organization’s application security and the development teams. Regular collaboration with the teams ensured that vulnerabilities were remediated according to organizational security policies and best practices. The program managers developed measurable success criteria to track progress across the organization, including regular meeting cadences, quarterly program reviews, and annual service review meetings.
The Synopsys scope of work has evolved to include additional activities such as onboarding new users, integrating systems to automate manual processes within the AppSec team, severity contextualization, consulting on policy changes, and providing application security educational opportunities to development teams.
Synopsys has helped drive and support the successful creation and adoption of an application security program within this organization. Synopsys solutions empower customers with high-performing, measurable, scalable, and repeatable AppSec programs that are best suited to their requirements. Support from Synopsys security experts ensures that customers get highly accurate results and on-time remediation advice.
Synopsys is committed to helping customers keep their digital doors open. As a partner, we help organizations understand and assess their applications’ risk posture. This knowledge adds value and capacity to companies’ existing security teams, which increases confidence and peace of mind to focus on driving the future.
Within six months of Synopsys onboarding, we were able to increase our PCI compliance from 40% to 100%."
Application security manager
|Financial firm
Company overview
This Fortune 500 financial corporation is one of the 10 largest banks in the U.S. It needed to
See why DAST remains a primary pillar in a holistic AppSec program
Top 10 Most Common Web and Software Application Vulnerabilities
Preview the report