AppSec Automation for an Online Workspace Collaboration Platform

We are happy to announce our latest customer engagement – implementation of a continuous security automation framework for a Silicon Valley online workspace collaboration suite. Our client’s cloud-based, visual collaboration platform helps teams develop and share ideas in real-time, through web, mobile screens and touchscreen walls. Our client brings innovation into the storytelling landscape, thus helping teams build ideas into better products.

Problem Statement

Considering the amount of information (for example -product ideation blueprints, early stage creative animation, day-to-day status sheets, financial graphs etc)  that is shared on the platform, securing the application was a no-brainer. However there was a constant need to amend core platform features to incorporate customised business features from their customers. Add to that, the complex technology stack, their existing model of ‘on-demand, end-of the-chain’ vulnerability scans did not scale. Further, manual pentests were arduous and time-consuming which didn’t map to their Agile sprints.

Therefore, there was a need for them to implement a security automation system that scaled to their product engineering and at the same time ensured that logic flaws did not slip through the cracks.

Our Solution  

Keeping in mind the platform’s technology stack, we understood the need to employ multiple open source security scanning tools as a force multiplier to their current DAST/SAST tools. Through our instrumented scanning and correlation platform, the vulnerability scanners would be able to provide enhanced and in-depth scanned results. In addition to scanner based vulnerability assessment, logic flaws identified through manual penetration tests would be automated through custom exploit scripts. The multi-scanner correlated results would be presented as quantifiable results to both security and engineering teams with detailed remediation steps. The system would also enable engineering to fix high priority issues with ease thereby enabling quicker product release within sprint timelines.

A detailed post implementation case study would be published by August 2017