Different industries, similar challenges
LeoVegas is a leading online casino operator with a focus on mobile gaming technologies that relies on its websites and applications to provide gaming services while securely processing user data and financial transactions. MullenLowe Profero is a digital transformation agency that builds web applications, ecommerce solutions, and CRM systems for clients worldwide. Despite the very different industries, web application security is a fundamental and non-negotiable business requirement for these companies – but both were struggling to align their application security testing with the pace of agile web development.
The need for efficient in-house security testing
MullenLowe Profero used to outsource security testing for the systems and applications it developed for clients, ordering third-party vulnerability scans when needed. However, this approach was not the best fit considering the requirements of agile development, especially for repeated security testing at different stages of the application lifecycle. Alessandro Grena, CEO of MullenLowe Profero China, clearly saw the need to bring this process in-house: “Considering the costs and the inflexibility of using external providers, we really needed our own solution.”
LeoVegas, on the other hand, did already use in-house security testing but was looking for a way to efficiently integrate the process with its CI/CD pipeline. Being familiar with similar solutions on the market, LeoVegas chose Invicti for its flexibility and out-of-the-box integration with development automation and collaboration platforms already used in the company. Scan accuracy and built-in reporting capabilities were also important, especially considering that LeoVegas processes financial transactions while operating in a highly regulated industry.
Building Invicti into the development pipeline
Integrating application security testing into the development process is simply a matter of using Invicti’s built-in integration support for industry-standard issue trackers and automation platforms – a great time-saver appreciated both by LeoVegas and MullenLowe Profero. Security scans can now be triggered at any stage of the build pipeline, with Invicti automatically creating developer tickets for confirmed vulnerabilities.
Both companies also made use of Invicti’s deployment flexibility to precisely align vulnerability scanning with their internal and geographic divisions. By deploying additional scanning engines (scan agents) to test specific environments or run tests in parallel, they were able to shorten scan times while maintaining maximum test coverage. Just as importantly, scans can now be launched and processed whenever needed without slowing down the development pipeline.
Reaping the benefits of an agile application security process
In the world of agile web development, security testing cannot be timely and effective unless it is also agile. With so many companies now doing their own web application development, keeping application security outside the development process is proving ineffective, frustrating, and costly. It is clear that deep integration with development workflows is the way to go, but the complexity of real-world web environments coupled with the rapid pace of development has left many organizations struggling to keep up.
Modern dynamic testing solutions such as Invicti are now making it possible to build comprehensive, accurate, and automated security testing into the software development lifecycle (SDLC). By improving the accuracy and efficiency of security testing, often by an order of magnitude compared to previous workflows, Invicti helps customers such as MullenLowe Profero and LeoVegas improve application security and get measurable value from their investment.
With streamlined vulnerability testing and issue resolution, organizations can spend less money on external testing and help their security engineers and developers work more efficiently by reducing communication overhead and noise in test results. Geoffrey Spiteri, Senior Group Security Engineer at LeoVegas, sums it up best: “With Proof-Based Scanning technology, we are now spending more time on fixing real issues rather than verifying whether a vulnerability is a false positive or not”.