The Challenge
When Peter Yang, Chief Technology Officer, joined CINC, he noticed that the company was using multiple vendors for application security (AppSec). By using multiple vendors, it was taking longer than necessary to conduct security scans and release software quickly. Since scan results were dispersed across multiple reports, it was also challenging to optimize their AppSec program.
The Solution
Yang, wanting to improve CINC’s AppSec program, searched for vendors that offered an end- to-end cloud-based solution with centralized reporting. Having used Veracode at a previous company, it made Yang’s list of top contenders. Ultimately, Veracode was selected for its all-in-one SaaS platform, robust reporting capabilities, and its seamless integrations into the most widely used development tools. “Our platform houses a lot of personally identifiable information, so picking the right AppSec vendor was vital. We wanted an end-to-end AppSec solution and we wanted it to be cloud-based. Veracode fit the bill,” said Yang.
The Results
Since selecting Veracode, CINC has successfully integrated Veracode Static Analysis (SAST), Software Composition Analysis (SCA), and Dynamic Analysis (DAST) into its software development life-cycle (SDLC). It took a few months to get developers up to speed since CINC was new to DevSecOps, but developers are now able to write secure code and are introducing fewer security flaws.
The time it takes to release new software has also drastically improved. “By scanning our software early and often, we are preventing rework that could take months,” said Yang. With all the scan results in one, easy-to-read report, CINC is able to capture the right metrics to prove its AppSec success to stakeholders and identify opportunities for process improvements.
To make sure it’s following AppSec best practices, CINC enrolled in Veracode Verified. Veracode Verified gives CINC a holistic, objective view of its AppSec program success. With a third-party assessment, CINC can evaluate its AppSec program, track the maturity of the program, and chart a path forward to take its most critical applications to higher tiers over time. Plus, by being a member of Veracode Verified, CINC gets a seal to post on its website proving its dedication to securing its applications. “Veracode Verified has given us a strong competitive advantage. When customers look up association management solutions, we are the only company in that space with a Veracode Verified AppSec program. It sets us apart and helps us gain customer trust,” said Shea C. Dittrich, Senior Vice President of Sales and Marketing at CINC.
CINC plans to continue working toward maturing its AppSec program and hopes to achieve the highest tier in the Veracode Verified program – the “Continuous” tier. As part of its efforts toward continuous AppSec improvement, CINC plans to further train developers in secure coding best practices and remediation tactics and implement Veracode Manual Penetration Testing. “Our customers are our top priority, so it’s vital that we not only provide them with the best solutions but also the most secure solutions,” explained Ryan Davis, Chief Executive Officer at CINC. “At CINC, security is – and will always be – of paramount importance.”