CUSTOMER CHALLENGE
A top five US commercial bank, with leading global financial services, offering investment banking, financial services, commercial banking, financial transaction processing, asset management, and private equity, was known for offering innovative client solutions including advanced Web based services.
Recognizing the value of securing the broad array of online services, the organization's Center of Excellence was tasked with obtaining a best-in-class solution which would allow them to quickly identify and remediate vulnerabilities in their large number of diverse business applications.
A particular business driver for this project was the need to protect high value private data through more secure applications. This required the team to analyze greater volumes of source code in order to lower business risk. They would need to analyze and manage results for many large applications, and then manage security policy and trend analysis for a broad business application portfolio.
The customer sought to replace an existing solution that could not produce the desired results. The amount of time that the tool required to analyze code and work through a high volume of false positives was problematic, and the lack of additional insight into the security profile of the complex combination of integrated business applications caused lags in productivity.
In reassessing their requirements and searching for another solution, the customer determined that an ideal solution would be a single, integrated set of products which would meet the needs of multiple roles equally well.
SOLUTIONS & RESULTS
Other commercial and open source tools promising to support the customer's objectives had proved insufficient. After extensive investigation and evaluation in live deployment, only Ounce Labs was able to provide the combination of products and company backing that met business requirements, security initiative goals, and end user acceptance.
Unlike other products, Ounce was able to rapidly analyze large amounts of code, utilizing its patented, compiler-based technology to assess the code and provide detailed results. Installation and setup were rapid, and results were being used for remediation in a surprisingly short period of time.
Developers embraced the Ounce Developer Plug-in. Of particular interest was the product's ability to separate out confirmed vulnerabilities from false positives, providing accurate, concise results that could be remediated rapidly. Coupled with a lack of false negatives, this translated into a reduction of manual audits combined with an increase in confidence.
Managers and executives were most interested in the Ounce Portfolio Manager and SmartAuditTM Reports as a means to centrally manage policy according to the unique needs of the distributed projects. The product's management dashboard and report templates would allow them to rapidly assess their software's security state and clearly report to other areas of the organization, as well as helping to satisfy data security compliance requirements mandated by such regulations as Sarbanes-Oxley, GLBA and PCI Data Security Standard.
As a result of replacing previous products with the Ounce Labs solution, stakeholders across the development lifecycle are now able to identify and remediate vulnerabilities more effectively.
Ounce Labs eliminated painfully difficult and slow build and analysis times experienced with other products, offering substantial improvement in the integration with builds. This ease of integration in the mixed language build environment led not only to greater user acceptance, but also an improved return on investment.
The company's security code auditors are now executing more accurate, effective and productive security audits, obtaining deep insights into application security risk profiles. The Ounce SmartAuditTM reports, such as the OWASP Top Ten report, provide unique insights into the application risk profile. This empowers auditors and security leads in a manner that saves time and increases effectiveness. With Ounce, managers are able to more effectively set and enforce security priorities for individual applications and software projects. They now track vulnerability trends across multiple applications in a manner that allows measurement against business objectives and adherence to regulatory compliance guidelines.
Software developers are able to utilize secure coding best practices as part of their daily routine. Because the Ounce solution delivers confirmed vulnerabilities and precise remediation advice, developers are able to focus on specific issues pinpointed in their code, instead of wasting time interpreting large sets of false positives.
The customer was also able to leverage the deep security expertise available at Ounce Labs, benefiting from custom training. As a valued partner, Ounce was able to tailor services to the customer's specific needs, improving security competency with a minimal time investment.
The end result is ever-increasing security for their customers, which translates into greater customer retention, reduced software maintenance costs, and increased compliance with internal and industry security requirements.
