Working on a transformational technology project under time and budget constraints, this innovative financial organization was building new applications to address the mobile banking and eBanking needs for its hundreds of thousands of customers. Operating in a sensitive and highly regulated financial industry, the organization’s security team also needed a proactive approach to security to protect sensitive customer and financial data.
The banking organization, which operates as a technology company, was searching for a best-in-class end-to-end AppSec solution provider to implement a robust application security program, and needed to quickly scale application security for hundreds of its applications. The company faced several challenges.
We love the fact that Continuous Dynamic is production safe, [enables us to] do authenticated scanning, and above all that ALL of the findings are verified and we are 99% false positives–free."
Application security manager
|Financial firm
Black Duck demonstrated that it provided the most comprehensive and industry-proven dynamic application security testing (DAST) solution. Continuous Dynamic™ can monitor and scan hundreds of applications in production 24/7 in a production-safe manner, and it provides the rich business logic assessment that the organization needed to confidently release its applications to its customers.
Given the size and complexity of the project, Black Duck proposed a comprehensive AppSec portfolio and later added Continuous Dynamic Auto API. The organization’s application security team scaled its program with a suite of Black Duck solutions.
A phased approach to implementing AppSec solutions into the organization’s software development life cycle, and monitoring the right set of metrics resulted in a sustainable and scalable approach to implementing application security.
Unlimited DAST assessments enabled an accurate window into the true risk surface of the organization’s hundreds of applications. Since Continuous Dynamic is designed for production-safe scanning, the security team was able to scale continuous risk assessments to hundreds of applications, saving time and cost without any downtime.
In addition, developer education and a direct feedback loop with Black Duck security experts has met the evolving needs of development teams.
One of the biggest challenges for this organization was dealing with a huge volume of AppSec findings and remediation tasks, which meant triaging a growing number of false positives. Continuous Dynamic proved to be an ideal solution as the organization’s risk surface expanded with numerous interconnected applications. By discovering, categorizing, and prioritizing the biggest risks first, teams gained a strategic, targeted plan to address the most vulnerable apps in production.
Black Duck security experts reviewed scan configurations to ensure that the scan would accurately reflect the architecture and data boundaries of the application or platform being scanned. These verified vulnerabilities virtually eliminated false positives, which reduced resource costs. Above all, faster and more accurate security vulnerability identification and remediation improved overall application security and ROI.
A huge accomplishment for the organization was reaching and maintaining 100% PCI compliance. The team was able to maintain an inventory of applications, ensure on-time scans and BLAs, and provide regular metrics showing progress toward the goals.
By seamlessly scaling and adding program management to the scope of work, the Black Duck Security Testing Services team developed a close working relationship with the organization’s application security and the development teams. Regular collaboration with the teams ensured that vulnerabilities were remediated according to organizational security policies and best practices. The program managers developed measurable success criteria to track progress across the organization, including regular meeting cadences, quarterly program reviews, and annual service review meetings.
The Black Duck scope of work has evolved to include additional activities such as onboarding new users, integrating systems to automate manual processes within the AppSec team, severity contextualization, consulting on policy changes, and providing application security educational opportunities to development teams.
Black Duck has helped drive and support the successful creation and adoption of an application security program within this organization. Black Duck solutions empower customers with high-performing, measurable, scalable, and repeatable AppSec programs that are best suited to their requirements. Support from Black Duck security experts ensures that customers get highly accurate results and on-time remediation advice.
Black Duck is committed to helping customers keep their digital doors open. As a partner, we help organizations understand and assess their applications’ risk posture. This knowledge adds value and capacity to companies’ existing security teams, which increases confidence and peace of mind to focus on driving the future.
Within six months of Black Duck onboarding, we were able to increase our PCI compliance from 40% to 100%."
Application security manager
|Financial firm
Company overview
This Fortune 500 financial corporation is one of the 10 largest banks in the U.S. It needed to
See why DAST remains a primary pillar in a holistic AppSec program
Get insights into the current state of security for web-based apps and systems.
Preview the report