As head of the product department at Azalea Health, I need to understand what our market needs. Based on the conversations that we've had with hospitals and clinics, enterprise-grade security is something they desperately need but rightfully expect their EHR system to provide . That’s why it’s important for our organization to take the responsibility of securing health data off their shoulders.
Because healthcare providers rely on Azalea software to manage patient health records and personal information, our security program starts when the software is being developed. We’ve always been diligent about software security, and we run penetration tests on a regular basis. However, after we moved our 100 percent cloud-delivered model to AWS in 2021, our focus on security intensified. We recognized the need to catch issues earlier in the development process—before they even got to our staging servers. For us, it was important to find a solution that integrates security into every stage of the software development life cycle.
Finding and validating the right solution to secure our software
We began our search for an application security solution by first consulting the Gartner Magic Quadrant and evaluating four of the leading vendors in the Application Security Testing category. We were favorably impressed to find Veracode a nine-time Leader in this category, and after our vendor evaluation, we ultimately selected the Veracode Continuous Software Security Platform™. Our decision was based on four key points:
First, the Veracode platform supports the languages we use in our application suite and it is compatible with our cloud-based architecture, meaning we could integrate it in a way that did not slow down our deployments.
Second, Veracode is also based in the cloud, so our Bitbucket pipelines were not affected. We could do our continuous integration and continuous deployment and still scan 100 percent of our code without negatively impacting those CI/CD loops.
The third major piece that brought us to Veracode was eLearning and Security Labs. These solutions gave us a way to help train our engineering team on how to design more secure code at the outset and not rely heavily on the scan to catch any potential issues. We also liked that Security Labs provided some great coding examples to accelerate the learning and therefore accelerate our SDLC process.
Finally, we chose the Veracode platform because of its accuracy. In our proof-of-concept between Veracode and one other leading contender, Veracode returned fewer false positives. The signal-to-noise ratio was much higher with the Veracode platform, meaning that when we saw issues in the Veracode reports, it was much more likely they were actual issues, which would make it a lot easier for us to act on those findings.
Impact on our day-to-day software development
When we began implementation of the Veracode platform, technical personnel from Veracode came in and worked right alongside our team to help us establish the scanning process on our first repository very quickly. Then, based on that template, we were able to iteratively roll out the scanning to our other repositories, and over the course of just a few weeks we were scanning everything in the Azalea code base using Veracode. It was very seamless.
Because Veracode fit into our existing software development processes, and with the integrated training provided through eLearning and Security Labs, adoption has been relatively quick and continues to grow. The learning tools and tips available from eLearning and Security Labs also brings greater security awareness and strategies our software engineers can leverage to code more securely from the outset.
Now that most of our developers have been using the Veracode platform for some time, we’ve seen the value in the form of improved development productivity and efficiency. For example, engineers aren’t wasting time chasing false positives, which allows them to focus on code issues that genuinely require attention. That helps us accelerate development timelines and produce higher-quality, more secure application software for our customers.
Having the Veracode platform to scan our software for potential issues, and to make sure we're up to date as new security threats present themselves, puts us in a much stronger position to ensure software security for our customers. We also use Veracode Verified to help build trust and confidence with our customers. It provides a “seal of approval” from a third-party perspective that we’re following application security best practices and doing everything possible to keep our software and customer data secure.
Advice for your application software security journey
Our team at Azalea Health has had a very positive experience working with Veracode throughout our journey to strengthen application security. If I were to offer advice to anyone else taking their first steps on a similar journey, I’d recommend moving quickly into a proof of concept after initially qualifying a short list of vendors.
We found that vendor claims didn’t always hold up when we put their solution to the test with actual code. The only way to know if a solution will truly meet your objectives is to prove it: run scans, see how long they take, how much noise you get back, and whether you can trust the results. That’s what we did and that’s why we’re using Veracode today.
Our job is to take the work and worry of application security away from our customers and make sure they can trust us with their data. With the Veracode platform, we’re able to do just that. It provides us with the tools and the accountability to show our customers on a weekly, monthly and annual basis that Azalea Health is delivering the most secure software we can for our customers.
Watch this video to find out more.
About Azalea Health
Azalea Health is changing the way health IT platforms connect community-based healthcare providers and patients across the life cycle of care. Offering a 100% cloud-based integrated solution, Azalea delivers electronic health records and revenue cycle management designed for rural and community practices and hospitals. Quick to deploy and intuitive to use, Azalea solutions ensure better care coordination and communication – enabling better outcomes and a meaningful competitive advantage.