The client was faced with the following challenge: Being able to test roughly 4,000 applications, both employee and customer-facing. The client also needed to verify post-development that their applications had been developed securely, without security gaps that could potentially lead to breach vectors within the enterprise.
HCL offers several commercial options to meet clients’ licensing needs, and they are either SaaS-based or on-prem-based. A workshop was initiated to understand the client’s requirements, their current state and their aspirational state. We architected a solution to meet the client’s needs with HCL AppScan Enterprise, our on-premise dynamic application security testing solution.
The client realized greater value through our ability to act as a trusted advisor in developing an end-to-end solution to meet their needs. We established a true partnership and stayed synchronized throughout strategic roadmap updates, where we discussed our latest research and development efforts and sought input and validation about HCL’s progress in meeting the future needs of the client and the industry.
Our client is one of the world’s largest telcos and they offer the following services: mobile, 5G, internet and networking, IoT, Voice and collaboration, cybersecurity, cloud, content and entertainment and digital capabilities.
The 4 challenges they faced were:
Concern with their existing enterprise production application infrastructure’s vulnerability to attacks.
Existing tools were slow and difficult to manage, because of the large scale of their applications.
Existing tools did not support modern web applications, such as new languages and web application frameworks and technologies that they were developing.
Existing tools could not be automated to plug into their continuous integration pipeline.
As a result, they were looking for a more sophisticated application security platform that could support today’s modern web applications technologies such as secure APIs and new application frameworks such as reactJS. They were also looking for a solution that offered enterprise-class scalability without slowing them down and the ability to handle large amounts of data, along with integration into their DevOps pipeline. That would enable our client to scan consistently and frequently, so vulnerabilities could be caught earlier in the lifecycle, resulting in lower development costs. Such an approach also reduced overhead, since a lot of the testing could be automated, with a significant reduction on teams’ requirements to manage testing.
Scaling up and optimizing customer experiences
AppScan Enterprise allows the client to test their modern web applications, analyze their entire applications for accurate results and have the confidence that the platform is testing their applications against an extensive list of vulnerabilities to confirm that applications are secure. Our solution was able to scale up to the client’s large workload, integrate into their DevOps pipeline to be able to incorporate their dynamic application testing into their software development lifecycle, while meeting their requirements for optimized development practices that incorporate security as foundational.
The HCL application security team, comprised of lab services and advocacy, established a center of excellence that would provision the enablement materials and best practice approaches for use of AppScan Enterprise. This was a critical element to leverage productive use and master functionality of the platform. It would establish the prerequisite skills to onboard and ramp up a consistent and optimized use of the tools and ensure desired standards, governance and outcomes.
In addition, we integrated AppScan Enterprise into the client’s DevOps pipeline, enabling dynamic application security testing more frequently and consistently. This helped in the process of shifting left, by incorporating security earlier in the software development lifecycle, in order to catch and fix vulnerabilities more effectively. We also developed a process to capture metrics on applications that enabled transparency to the quality of the scans based on breadth, scope and a few other scan factors. Additional benefit was realized on visibility into the risk posture of every application we tested, specific vulnerabilities that affected each application tested and whether vulnerability remediation was addressed.
Synchronizing between roadmaps
The client realized greater value through our ability to act as a trusted advisor in developing an end-to-end solution to meet their needs. We established a true partnership and stayed synchronized throughout strategic roadmap updates where we discussed our latest research and development and sought input and validation of HCL’s progress in meeting the future needs of the client and the industry.
The solution we architected and implemented to roll out a dynamic application security testing program added value in the following ways:
Improved efficiency by allowing the client to scale up a large number of applications that needed to be tested and evaluated.
Shifted Development left to run scans earlier and more frequently in the software development lifecycle (SDLC), which allowed our client to catch security vulnerabilities earlier. As a result, it reduced development costs.
Enabled the capture of more metrics, which resulted in more informed business decisions.
About the company
The company offers broadband connectivity and high-speed fiber and wireless networks that connect people and businesses across the USA.