Improved application quality and security by introducing Fortify on Demand as a key part of DevSecOps framework
Focus developers on adding value to applications by moving from an on-premises static code scanning model to a cloud-based SaaS model.
As many business-critical applications within Generali France are customized and specific to the insurance industry, Generali France has built an impressive in-house application development capability. Application security is always a concern and the organization had selected Fortify Static Code Analyzer by OpenText to find any security issues early and fix them at the speed of their DevOps cycle. Xavier Pernot, IS Security specialist at Generali France, explains why this approach needed a rethink: “We love the security Fortify brings to our applications, but the on-premises model did not fit our business requirements very well. Due to limited resources, we wanted to focus on the value that we can deliver in our applications without the need to run and maintain the environment. Our release schedule is quite seasonal as well, and so at certain parts of the year the on-premises environment would be overloaded and we could see a delay when several applications had to be scanned at the same time, whereas other times the environment would not be active at all. It was clear to us that a SaaS model would work much better, but we were worried about data privacy as we would essentially be handing sensitive application data over to Micro Focus (now OpenText).”
OpenText™ is the only application security provider to offer static application security testing on-premises and on demand so businesses can choose the option that is right for them. In this case, Fortify on Demand by OpenText (a SaaS based solution powered by AWS) fit the bill for Generali France. Xavier was reassured that OpenText uses industry standard techniques to encrypt customer-provided SaaS data in transit and at rest. After the scanning process no data is retained, alleviating any data privacy concerns. There are many other Fortify aspects that Xavier appreciates: “Fortify supports a wide range of development languages which means we could increase the number of applications integrated into our DevSecOps platform.”
We have introduced a best practice deep defense framework, including dynamic code scanning and intrusion testing, supported by documentation and training. Fortify on Demand has been fully integrated in the effort to improve the quality and, more specifically, the security of the applications we deliver to the business.
Operating in a cloud-based SaaS model allows Generali France to easily increase the volume of scanned applications and hence the number of vulnerabilities that will be addressed before applications are released. Developers are more productive as they can focus completely on code analysis and fixing any security issues flagged by Fortify on Demand. “We want our developers to be as autonomous as possible,” comments Xavier. “Their submitted code is scanned in detail, as standard, and they receive a consolidated findings report. This gives our developers high value data, together with any vulnerability clarifications provided directly through the Fortify on Demand portal, to help them better understand and manage any vulnerabilities.”
If vulnerabilities are flagged that require major work or modification the extra visibility is helpful so that priorities can be established, and sufficient budget and time can be allocated to fixing the issue. Having Fortify on Demand as part of the standard development practice also means that developers are far more aware of security issues and their implications when they work on applications.
Fortify on Demand also offers open source software composition analysis. The level of dashboard reporting and the additional services offered help Generali France developers collaborate effectively and keep management informed. By collecting and correlating security vulnerabilities with Fortify on Demand Generali France can anticipate attacks through risk analysis and priority management, while creating a detailed defense mechanism.
“It is key that our developers do not work in a vacuum,” concludes Xavier. “Application security is viewed in the context of the wider development process and does not just consist of static code scanning. We have introduced a best practice deep defense framework, including dynamic code scanning and intrusion testing, supported by documentation and training. Fortify on Demand has been fully integrated in the effort to improve the quality and, more specifically, the security of the applications we deliver to the business.”
Submitted code is scanned in detail, as standard, and they receive a consolidated findings report. This gives our developers high value data, together with any vulnerability clarifications provided directly through the Fortify on Demand portal, to help them better understand and manage any vulnerabilities.
Generali is a multinational group that is present in 50 countries, through more than 400 companies and with almost 72,000 employees.