Fortune 500 Healthcare Services Needs Integrated Application Security
One of the largest healthcare providers in the U.S. needed help with their application security. Governed by HIPAA, PCI and innumerable other regulations, they struggled to ensure that their applications were being sufficiently – and efficiently – tested for security vulnerabilities. The security team was overburdened and over scheduled, so scans were delaying production deployments. And the handoff from security testers to developers was clumsy, leaving it unclear whether vulnerabilities were real, how they should be fixed, and if they were fixed at all.
Winmill worked with this company to integrate Acunetix, one of the leading Dynamic Application Security Testing (DAST) tools, into their complex Software Development Life Cycle. We were able to help the company “shift left,” enabling developers to test and remediate in their own environments, prior to deployment. Findings were integrated into a centralized tracking system. We provided training to help them prioritize results, flesh out false positives and remediate the real problems.
The project was wildly successful – deployment cycle times were dramatically reduced, time to remediation was dramatically reduced, the amount of code being scanned was dramatically increased, and the company now has clear visibility into the security status of its applications.
- The business unit’s security team held full control of application security testing operations. Application security testing was taking place very late in the SDLC.
- Scan results were being provided to development teams weeks and even months after changes to code had been committed.
- The application development team supports a massive (over one million lines of code), home-grown, client-facing application that is deployed across several hundred affiliated websites. The application has hundreds of third party dependencies and offers tight integration via REST API for hundreds of partner companies.
- Applications in this company’s production and staging environments require SMS multi-factor authentication to log in, making the automation of application security operations significantly more difficult.
- The company did not have a continuous integration or deployment architecture in place that could be used to facilitate automated application security scanning.
- Winmill helped this company to evaluate scanning solutions, ultimately recommending Acunetix for DAST scanning. We performed of Proof of Concept to ensure the solution was viable, and then proceeded with installation, application on boarding and configuration. Scanning operations were shifted left into the QA environment, eliminating the need for multi-factor authentication for the majority of scans taking place.
- We trained the developers to use Acunetix, and taught best practices to designated Security Champions on the development team.
- We helped to integrate Acunetix into the company’s SDLC, including the configuration of a direct connection between Acunetix and Jira. We established remediation strategies and best practices, which were also incorporated into the SDLC.
The Health Care Provider’s development teams and security teams are now working together in an integrated, efficient, and secure DevOps architecture. Developers run scans before posting. Managers from both teams can schedule recurring scans and run immediate scans. As new applications are built, they are automatically incorporated into the secure DevOps architecture. When scans are completed, an application owner is automatically notified, and tickets are automatically created and assigned in Jira. Developers and application owners can retest specific vulnerabilities to confirm remediation, instead of re-running full scans against an entire application.
Applications are scanned (and remediated) before being delivered to production, eliminating the bottleneck of post-development/pre-production scanning. Deployment cycle times have been dramatically reduced.
Having shifted daily scanning responsibilities to the developers, the security team is able to focus more on strategic security planning and execution.
The number of application security scans being run has increased by more than 200%.
The mean time to remediation has decreased by more than 50%.