“Security threats don’t stand still and Veracode provides us the tools to keep up with the latest vulnerabilities and rules.”
QAD Precision GTTE Mitigates Risk While Accelerating Time to Market
Leading software developer strengthens security across cloud-based development pipelines, with Veracode software security integrated in the end-to-end SDLC.
The Challenge
Intensifying demand for application security in the cloud
Historically, GTTE’s development organization protected its code with perimeter security approaches, such as hardening platforms, to prevent outside intrusion. However, Peter Evans, GTTE’s engineering director, points out, “Moving to the cloud greatly intensified demand to secure our software.”
Evans notes that one of the main challenges all software companies face with application security (AppSec) is embedding it into the daily routine of the company’s developers. This requires the right security tools integrated into the software development lifecycle.
To assure its customers that their data would be protected, QAD Precision reassessed its approach to software security. Evans says, “Customers were very concerned about a breach potentially exposing personally identifiable information and proprietary data. Ultimately, it was the requirements from our customers that triggered our effort to build out a more comprehensive security program.”
The Solution
Shifting left with the Veracode’s Continuous Software Security Platform
After evaluating a variety of application security offerings on the market, QAD Precision selected Veracode as its platform of choice.
Evans explains, “Veracode brought a complete platform for us to build security tools into our development pipelines, as well as helped us grow our knowledge to keep getting better at security. Veracode was also a good fit because the platform can scan Java code in the Spring framework where we develop our software.”
Today, QAD Precision relies on Static Analysis (SAST), Dynamic Analysis (DAST), and Software Composition Analysis (SCA) from Veracode. “We’ve gone from reviewing code to integrating continuous scans into our daily pipelines,” Evans says. “Security threats don’t stand still and Veracode provides us the tools to keep up with the latest vulnerabilities and rules.”
Evans adds that Veracode eLearning with secure coding training tools has played an important role in the success of QAD Precision’s AppSec program. “The training has helped upscale our developers to understand changes in the threat landscape. They can then use that knowledge to build more secure software from the outset.”
Results
Strengthening application security and competitive advantage
AppSec is now integrated directly into GTTE CI/CD pipelines. Evans notes, “Having Veracode is fantastic because it forces developers to think about security as part of making any change, which reduces regression and helps us get secure software to market faster.”
SCA brings additional value to Precision’s AppSec program by not only identifying vulnerabilities in open-source libraries, but also suggesting updated versions that further reduce risk. “SCA isn’t just telling them about a problem, it’s telling them what they can do to fix the problem.”
The impact of having SCA is illustrated by the higher number of Common Vulnerabilities and Exposures (CVE) the security industry is identifying. Evans notes, “SCA allows us to track those CVEs in quite a productive way. It’s improved visibility on the vulnerabilities in our third-party libraries so that the team can respond quickly and resolve them in the next sprint.”
Marcos Peña, a software engineer in QAD Precision’s R&D organization, comments on the added value of having Veracode eLearning: “We are always trying to develop new features and functionality. Working with Veracode eLearning has helped me put more focus on software security, and having the tools right there to make security part of the development process helps keep our projects on schedule.”
Becoming Veracode Verified has been another important phase of QAD Precision’s AppSec journey. The Verified program provides an independent “seal of approval” that GTTE follows software security best practices, which is recognized both internally and externally. Evans says, “The Veracode Verified program has crystalized the value of security in the work our developers are doing.”
He adds, “Veracode Verified gives our customers and prospects confidence in choosing GTTE. They see we have an AppSec program in place that is third-party validated, which helps improve our competitive advantage.”
As QAD Precision’s AppSec program continues to mature, Evans acknowledges that security is an ongoing process. “It’s never- ending work,” he says. And that is even more reason to have a complete software security platform that scales as Precision’s needs and the threat landscape evolve.”
Evans concludes, “If you include security upfront in the software development lifecycle and everyone is used to having that part of the process, it pays dividends down the road.”
“Veracode Verified gives our customers and prospects confidence in working with QAD Precision.”
Peter Evans
Engineering Director, QAD Precision
About QAD Precision
For nearly 40 years, enterprises around the world have turned to Precision Software – now a division of QAD, Inc. – for its Global Trade and Transportation Execution (GTTE) software solutions. QAD Precision built this long track record of success on trust that its software will not only perform with speed and accuracy, but also do so securely.
Securing its GTTE software has always been a top priority for QAD Precision, but moving its software platform to the cloud demanded a modern approach to securing application code.
By adopting rigorous DevSecOps best practices and integrating security early into the software development lifecycle (SDLC), QAD Precision has reduced software regression while improving SDLC efficiency and strengthening its competitive advantage in the global market.