Increase the maturity in secure development
The company maintains a solid base of around 4 million users. It handles a large volume of transactions daily, involving managing and exchanging points, impacting all its partners, products, and services. Given the potential for attacks and fraud, an exceptional level of security in its applications is needed to preserve the company's image, profitability, and reliability.
The focus on application security catalyzed this valuable partnership with Conviso. Initially, security experts were needed to assess the applications in development and identify vulnerabilities swiftly to address them promptly.
However, the challenges extended beyond this. As is common in many companies, our client faced the issue of a reduced security team responsible for overseeing a large volume of changes and new deployments. They were perceived as a bottleneck in the process. Therefore, fostering a cultural shift among the professionals involved in software development became crucial, ensuring that security was integrated from the beginning of the development cycle rather than being addressed only in isolated tests.
Creating a culture of secure development
We began our engagement by conducting a pentest on their e-commerce solution to ensure it was ready for launch. The real-time results available on the Conviso Platform enabled the company's team to make agile corrections, preventing delivery delays.
Subsequently, these penetration tests evolved into a recurring format, with over 44 tests being conducted. However, merely identifying issues at the end of the development cycle led to high costs due to late corrections. This led the company to adopt a new service called AppSec Squads.
In this service, Conviso security analysts were integrated into the daily operations of the development teams, playing a crucial role in raising security awareness, supporting the development of an AppSec program, and enhancing the security maturity within the squads and their processes.
Given that the company maintains internal development architects and outsources part of the development, the presence of Conviso analysts became essential in assisting with application threat modeling, defining requirements for secure development, and training the responsible teams.
Improvement in security maturity
Through the services provided by Conviso, our client enhanced their secure development maturity level, reducing the number of new vulnerabilities by 43% and the severity level of threats by 28%.
Security culture: Through training professionals involved in development, security became an essential priority at all stages of the development cycle.
Cost reduction: Integrating security into the early stages of the software development process led to a significant reduction in costs associated with rework and point-in-time testing.
Comprehensive pentests: The collaboration between the Stix team and Conviso’s resources enriched the penetration tests, providing a deeper understanding of vulnerabilities and potential attack and fraud scenarios.
Improved Vulnerability Management: The Conviso Platform and communication with Conviso analysts enabled comprehensive vulnerability management based on risk management and contextualized approaches. This resulted in greater agility and accuracy in the corrections implemented.
Cultura de Segurança:
Através da capacitação dos profissionais envolvidos no desenvolvimento, a segurança se tornou uma prioridade essencial em todas as etapas do ciclo de desenvolvimento.
Redução de custos:
A inserção da segurança nas fases iniciais do processo de desenvolvimento de software resultou em uma significativa redução dos custos associados ao retrabalho e aos testes pontuais.
Pentests mais abrangentes:
A colaboração entre a equipe da Stix e os recursos da Conviso enriqueceu os pentests, proporcionando uma compreensão mais profunda das vulnerabilidades e dos possíveis cenários de ataques e fraudes.
Melhor gestão de vulnerabilidades:
A Conviso Platform, juntamente com a comunicação com os analistas da Conviso, possibilitou uma gestão completa das vulnerabilidades, pautada no gerenciamento de riscos e de maneira contextualizada. Isso resultou em maior agilidade e precisão nas correções implementadas.