OpenText 主页。

About Sage

Sage provides accounting, human resources, and payroll for every business type and size. Based in Newcastle, UK, Sage serves millions of customers across North America, Europe, Africa, Middle East, and Asia-Pacific, with revenue growing at over 10% a year.
Person reviewing a digital invoice on a tablet while working at a desk with a laptop
  • Employees:
    11,170
  • Annual Revenue:
    £2.5 billion
  • Founded:
    1985

Summary

Challenges

  • Millions of customers rely on secure applications for mission-critical tasks.
  • Complex desktop, server, cloud, and mobile environment to secure.
  • High-volume and emerging threats from AI added complexity.

Solution

  • Extended Fortify on Demand across the enterprise.
  • Introduced SAST early in the software lifecycle.
  • Deployed AI technology to help eliminate vulnerabilities.

Results

  • Gained a single point of management for AppSec
  • Reduced time and effort with shift-left testing
  • Added peace of mind around security

Challenges

  • Millions of customers rely on secure applications to run mission-critical tasks
  • Complex desktop, server, cloud, and mobile application environment
  • Emerging AI-powered threats generate new security challenges

Millions of business customers worldwide rely on Sage for mission-critical accounting, finance, and human capital management software. Naturally, with sensitive commercial and personal data being processed daily, security is essential. Across some 250 applications, from desktop software through server, cloud, and mobile apps, Sage faces a significant challenge in keeping its complex portfolio protected against emerging threats.

Richard Newbould, Senior Application Security Specialist, said, “The most important thing to Sage Group plc is most definitely the customer. We want to make sure the customer has the best journey and the best solution to solve their problems. In a fast-paced, cloud-connected world with lots of outside threats, we want to provide the most secure and safe product the customers can use, with the best functionality.”

He continued, “There's always a new attack vector, something new to think about, and a new risk. We have software built in the 1980s and cloud-native solutions built six months ago, with everything in between. With such a wide variety of products, no two days are the same.”

Duncan Graham, Application Security Specialist, agreed: “We provide customers with the products that they need to run their business without having to think about the numbers and the complexities. Our products make accountancy, payroll, and human capital management as painless as possible.”

For Sage, competing in the global economy, application security is more than a technical concern. Security breaches erode trust and reduce the pace of innovation, both of which potentially damage revenue.

Graham added, “Security has changed from being an end-of-design stage with a pen test to an integral part of the security lifecycle. For that, we look for the best tooling that can help us deliver on our customer promises.”

Two developers working on computers in an office

As AI threats become more prevalent, we value our ongoing relationship with OpenText, who are helping us secure Sage as we move forward.

Duncan Graham
Application Security Specialist, Sage

Solution

To manage a complex environment with applications written in multiple languages running on diverse platforms, Sage selected Fortify on Demand and OpenText™ Fortify™ Remediation Aviator™.

Products deployed

Services Provided

Extending Fortify on Demand across the enterprise

Sage took time to evaluate a number of vendors, assessing their capabilities and how their tools would integrate with its existing landscape. With multiple products spanning customer needs in an enormous variety of scenarios, flexibility and the range of addressable systems were key selection criteria.

“The great thing about Fortify on Demand is that it provides us with a platform that works with so many different languages and environments. It's a good, reliable tool that is easy to set up and gives good intelligence with minimal false positives,” explained Graham.

“In addition, the solution is easy to configure and works with our vulnerability management tools. It’s no longer just security specialists who are using the toolset, it's the whole product development team who are comfortable using it and are learning from it.”

Introducing SAST early in the software lifecycle

The main challenge for Sage was to integrate Fortify on Demand with the existing software development lifecycle. Sage wanted to help developers build code securely from the outset rather than retrofitting security measures after penetration testing.

Newbould added, “One of the big challenges is the requirement to shift left, to bring security earlier into the development chain. Fortify on Demand gives us that functionality, because we can run static application security testing as soon as we start writing code. By having that at such an early stage, long before we hit any release timeframe, we know that the code is safe and secure.”

Deploying AI technology to help eliminate vulnerabilities

For any testing program, working through false positives can become a significant drain on developer time. Finding the appropriate level of sensitivity in vulnerability detection is particularly important to Sage as it seeks to balance productivity and workflow with security standards. Fortify Remediation Aviator helps the company identify threats based on the power of advanced machine learning models, enabling busy developers and security professionals to focus more on productivity and customer satisfaction.

Graham commented, “We selected Fortify Remediation Aviator, which gives us the opportunity to eliminate false positive findings and direct the team to the issues that really matter.”

Team members collaborating at a workstation while reviewing information on computer monitors

The OpenText partnership is friendly and open, and whenever we've had issues, the speed of support has been outstanding. We certainly trust OpenText as a strategic partner for Sage.

Richard Newbould
Senior Application Security Specialist, Sage

Results

By combining static and dynamic application security testing, the OpenText solutions help Sage protect its global user base while optimizing internal developer workflows.

Gained a single point of management for application security

The OpenText technologies enable Sage to scan legacy and modern applications for a broad range of potential security issues within a single toolset. DAST and SAST can be integrated into CI/CD pipelines or run as one-off scans on completed projects. For all use cases, products, and security requirements, Sage can detect, diagnose, and resolve potential application security issues from a single point of control.

Graham said: “Fortify on Demand helps us with a number of challenges across many environments and development languages. We scan at every pull request, which gives us very, very early warning of any potential vulnerabilities or improvements that could be made. In this way, the solution teaches us to improve our processes from the very start.”

Reduced time and effort with shift-left security testing

The ability to scan for security issues earlier in the development lifecycle saves significant time and effort for software teams across Sage. By the time release builds are created, Sage is already confident that the code is secure—which translates into fewer sleepless nights for developers.

“We often talk internally about the rule of ten,” said Graham. “An issue that takes one person an hour to fix in development typically takes ten hours to resolve at the testing stage, and another ten times that if it gets into production. With Fortify Remediation Aviator in particular, we're finding vulnerabilities much sooner, fixing them earlier in the software development lifecycle, and discovering fewer vulnerabilities during pen testing.”

Added peace of mind around security

By bringing security management into one place with OpenText, Sage has gained greater system-wide visibility of potential vulnerabilities. The senior leadership trusts the findings generated by the OpenText tools, which in turn gives confidence to global customers using Sage products.

Graham said, “As AI threats become more prevalent, we value our ongoing relationship with OpenText, who are helping us secure Sage as we move forward.”

Newbould added, “The OpenText partnership is friendly and open, and whenever we've had issues, the speed of support has been outstanding. We certainly trust OpenText as a strategic partner for Sage.”

Looking to the future, Sage is now rolling out Fortify DAST to protect its web applications. Newbould said, “We chose OpenText Fortify DAST in part because of the existing fantastic relationship with OpenText; it felt like a natural fit. The massive benefit was the fact that we could run our own macros to set up the authentication part of accessing a web application, which was far superior to other marketplace offerings.”

Blog

Cybersecurity illustration with bug detection, servers, cloud, and security shield

Secure smarter, not harder with AI-powered code fix suggestions

With AI that shows the code fix, not just the flaw, Fortify Remediation Aviator is more than just a tool—it’s a developer’s personal security champion that empowers development teams to release secure software faster and with greater confidence.

Read the blog