start portlet menu bar end portlet menu bar
Success Stories Search
Success Stories Filter
Restful
3M Story
VELCO
Firepro Systems
European Cricket Network
Global Safe Travel
volt-mx-state-government
WWE
Volt MX Government
Anonymous Retail Customer Story
KUHN
Commerce Retail
Bonnell Aluminium
PD Hook
Ambleglow
Novotex Italiana
Streebo
Penn Vet
Iperceramica
A1 Telekom
Swiss Red Cross
Arvid Gjerde
Vössing spurs efficient
acubiz story
Pakistan State Oil
TATA AIA Insurance
Global Information Technology
Power Metal
Augusta
State of Ohio
Verve
Afrisam Paves
vcc
bcbst
Corlett-Wellstone
Elektronabava-1
Global Marketing and CPG
HCL Volt MX Insurance Demo
HCL Volt MX
National Retailer
Cyber Security
Health Insurance Company
Electric Utility Company
Credit Union
Türk Telekom
HCL AppScan Telecommunication
HCL AppScan IT Customer Story
DX Insurance
DX Bank
HCL Accelerate IT
dryice-enables-automated
dryice-reduces-vm
dryice-german-energy
dryice-reduced-server
Exacto enables smart data
Exacto kicks automation into overdrive
Exacto Learn how Husqvarna mowed-down
Marzotto Sim
Nolte Kuchen
HCL AppScan Education
ESM
Connectria
AIS | HCL Software
Low Code Chemical
Australian Energy company
Rheavendors Group
Malayala MANORAMA
Higher Education Logo Page
Al-Futtaim
Volt MX Government Services
Volt MX Utility Water
DX Edison
DX Ipiranga
VMX Pestcontrol
South Seas Data
Lufthansa
US State Government-1
Top Global Manufacturer
Wavestrong Partner Success Story
Z Home Auto Insurance
Mondelez International
Major Restaurant Franchises
BMO
Energy DX
Technology Company DX
Biopharmaceutical Company DX
Healthcare Insurance Nippon
DX Grocery
Domino Boge
Aeronautic Onetest Embedded
Dportenis
BigFix Reynolds
Neovad Bigfix
Aftermarket Cloud FSM Offhighway
Aftermarket Cloud Robotics
Aftermarket Cloud Bus Manufacturer
Aftermarket Cloud Construction
Advancing Avionics DevOps Test
  • Contact us

    • What we achieved

    • Zero Configuration deployment process

    • Leveraged existing processes in the SDLC

    • Detailed security vulnerability records

    To who

    • Industry: Information Technology

    • Products: HCL AppScan

    • Region: North America/US

    Overview

    • Part 1

      Challenge

      Our customer was faced with the following business challenges:

      Improving the security protection of their products without disrupting the current SDLC process.

      Reducing the probability of a security issue that could delay shipping of new versions.
    • Part 2

      Solution

      Integrate IAST into the customer’s existing QA process and leverage automatic, manual and sanity tests to extend Application Security Testing (AST) coverage and transform DevOps to DevSecOps.
    • Part 3

      Results

      Improved AST coverage and remediation processes, due to informative records of security issues such as full call stacks and exploit examples that are reported by the IAST agent.

    The Challenge

    Business Case for IAST

    The company was already utilizing DAST as part of their SDLC, mostly in the late stages. This common practice provided good results, but had several downsides to it:

    • When a significant security vulnerability was discovered, it caused a delay in the release, since DAST was introduced as one of the last steps before a new version was shipped. Remediation efforts for security vulnerabilities were high due to the DAST scanner's less detailed information.
    • There was a significant time gap between writing the code and discovering vulnerabilities.

    We were surprised by the deployment process. We were expecting something more complicated than deploying a WAR file to our Tomcat!

    Technical Manager DevOps team

    The Solution

    Integrating IAST

    The company has an extensive Quality Assurance (QA) process due to its codebase's size and complexity. The QA process includes automated and manual testing that ranged from simple sanity scenarios to complicated edge cases. Every new version also added more functionality, so further tests was introduced into the QA process.

    The QA infrastructure is Docker-based and orchestrated using Jenkins. Since the team didn't want to change their existing containers, they decided to integrate IAST by using a simple script that utilizes AppScan's APIs to download and deploy the agent to the web server, after applications are successfully built and published.

    The amount of information I receive per issue is beneficial for the prioritization and remediation process.

    System Architect

    The Results

    Effects

    A significant benefit that developers instantly reported was the amount of information the security vulnerabilities contained. Having the line of code that originated the issue, along with an example of an exploit that triggered it, reduced remediation efforts significantly. Since the QA process is adjacent to the development process, the code changes that resulted in new security vulnerabilities are fresh in developers minds when approaching to resolve security issues.

    Another benefit that the security team reported was reducing issues detected in DAST scanning, since the QA process now helped to resolve issues earlier in the SDLC.

    From a maintenance perspective, the Security and DevOps teams were impressed since integrating the IAST agent only requires a single straightforward script, and the agent itself is evergreen (meaning that it updates automatically). Another great thing is that the QA team can keep adding new tests for every new functionality it develops, keeping AST coverage up to date with every new version. The process keeps improving as a byproduct of the SDLC itself.

    About the company

    Due to the cybersecurity domain's sensitive nature, the company requested to stay anonymous in this particular case study. The company is a software company in the IT e market that provides services to SMBs and large enterprises.

    The technology stack used in this case study is:

    • Java
    • Tomcat
    • Docker
    • Jenkins
    Download Story

    Related Capabilities

    digital transformation case

    Business & Industry Applications

    Robust business applications designed to set a new benchmark in organizational efficiency. Encompassing marketing, e-commerce, value chain, and behavioral insights.

    Learn more
    automation solution

    AI and Intelligent Operations

    AI and automation combined with simplicity, security and ease of use — empowering you to make informed decisions, predict market trends and enhance agility and efficiency to an unprecedented degree.

    Learn more
    enterprise it security

    Total Experience

    TX software that interconnects the best to solve the most complex challenges organizations face, incorporating customer experience (CX), employee experience (EX), user experience (UX) and multi-experience (MX).

    Learn more

    Data and Analytics

    The tools you need to distill complex data into clear, actionable insights — to predict outcomes, profile customers, optimize operations and identify new opportunities through data patterns and market analysis.

    Learn more

    Cybersecurity

    Vulnerability detection, mitigation and remediation solutions that deliver secure DevOps and compliance from application to endpoint.

    Learn more