How EcoVadis Built a Scalable Program to Improve Application Security Posture

About EcoVadis

Founded in 2007, EcoVadis is a purpose-driven company providing globally trusted sustainability intelligence on an interactive platform to help organizations comply with ESG regulations and improve the sustainability performance of their value chains. To deliver on this, EcoVadis has innovated multiple platforms including Risk scanning, which processes millions of data points to scan 2.5 million suppliers worldwide; and EcoVadis Sustainability and Carbon Ratings which collect thousands of datapoints from each supplier, which are processed by more than 500 AI-assisted analysts in its back-end platform to create easy to use ratings and scorecards. Procurement and supply chain functions, which are the primary users of EcoVadis’ enterprise platform, have been in a process of digital transformation over the past decade. Thus, EcoVadis also has cultivated a rich ecosystem of ProcureTech partners – who integrate to the platform via API – to bring sustainability insights to purchasing, risk management, reporting and other functions across the organization.

Executive Summary

The collaboration between security and development teams at EcoVadis, facilitated by Veracode, has led to significant improvements in their application security program and overall security posture.

By integrating security measures directly into the development lifecycle, EcoVadis has enhanced the detection and remediation of vulnerabilities, ensuring issues are addressed promptly. This integration has fostered a culture where developers view security as a collaborative partner rather than a hindrance, leading to more agile and effective interactions.

Francisco Sánchez Nauffal, IT Security Director at EcoVadis notes “The use of Veracode’s unified platform has streamlined the process of identifying and escalating security issues, providing clear visibility to both developers and management.” As a result, EcoVadis has achieved a more mature and cooperative security culture, which is crucial for maintaining the integrity and trust of their digital interactions with customers.

Challenges Before Veracode

The Road to Success

Getting started, as the process matured and gained visibility at EcoVadis, it became increasingly challenging to identify the best starting point for addressing security issues. They turned to Veracode Support to help set the right priorities during the customer onboarding process, which was crucial in maximizing the value of the solution.

Additionally, EcoVadis needed to ensure that security scans were conducted as close to the developers as possible, fostering cooperation with development teams to maximize the purpose and value added by Veracode. This approach helped in detecting issues early, making them easier to remediate.

Furthermore, engaging developers in their security learning was essential, which was achieved through a comprehensive onboarding process and live sessions showcasing detected flaws and their potential impacts.

The Veracode Solution in Action

Veracode significantly enhanced EcoVadis’ application security posture to help manage the risk of breaches and comply with regulations. By integrating security early in the development lifecycle, they were able to detect flaws early, facilitating easier remediation.

The use of Static Application Security Testing (SAST) and Software Component Analysis (SCA) are now automated security practices across EcoVadis’ rapidly expanding application attack surface. Veracode’s unified platform streamlined the detection and escalation of security issues, providing necessary visibility to both developers and managers. This improved communication and collaboration between development and security teams, transforming security from a gatekeeping function to an integral part of the team.

Additionally, Veracode’s platform supported EcoVadis in presenting security posture information effectively to the board, highlighting a decreasing trend in issues while maintaining steady growth, thus demonstrating the added value of the security function.

Results

EcoVadis has achieved significant results from its investment in Veracode solutions. The primary outcome has been gaining clearer visibility into their vulnerability landscape, which was previously challenging with other security platforms.

“This enhanced visibility has enabled EcoVadis to prioritize and remediate vulnerabilities based on their criticality effectively. Additionally, the integration of Veracode into the development lifecycle has facilitated the detection of defects closer to the development teams, improving the overall security posture,” adds Sánchez Nauffal. The collaboration between development and security teams has also matured, with developers viewing security as an integral part of the team. This has led to faster reactions to security issues and improved communication and cooperation.

Furthermore, the use of Veracode has helped EcoVadis to present security trends and improvements to the board in a comprehensible manner, highlighting the value added by the security function as the company continues to grow.