Virtualization Technology News and Information
Article
RSS
Software Security in a Fluent SDLC

By Alin Burlacu, Banking Engine Champion in Product, Mambu

As developers of a pure SaaS platform that serves a rapidly growing global customer base, Mambu faces strict security and compliance regulations. For proactive identification of potential security vulnerabilities in our code, Mambu uses the Checkmarx Software Exposure Platform, provided via the Managed Service AppSec Accelerator.

The centrepiece of Mambu's product portfolio is a powerful cloud-native platform that is provided as a cutting edge Software-as-a-Service (SaaS) model to customers in more than 60 countries worldwide. Additionally, Mambu customers have access to various best-in-class-services via a vast range of individual specialised connectors via the Mambu Marketplace. Our platform is developed in a modern AWS environment and is designed, developed, validated and maintained by globally distributed teams according to agile practices, and currently comprises almost 7 million lines of Java code.

Introducing a dynamic & static code analysis for security concerns

Because financial software applications are subject to strict industry and regulatory standards, Mambu is using a dedicated software quality monitoring solution. We regularly conduct extensive penetration tests to identify potential security vulnerabilities, and to secure our platform further, Mambu chose a comprehensive solution to introduce a dynamic and static code analysis into our Software Development Life Cycle (SDLC).

We decided to invest in a dedicated application security solution for two reasons:

  1. To gain a deeper insight into our own software, and to develop a pool of security-relevant information to better control our security;
  2. To make it easier for our customers to document the security of our services as part of  their audits and due diligence activities.

To ensure a successful integration, a broad, cross-divisional project team was assembled. Based on wishes and suggestions of all stakeholders, the team carried out a comprehensive evaluation of all relevant SAST, DAST and OSA solutions on the market. As a result, Checkmarx's Exposure Software Platform was selected - the hybrid, managed services-based deployment model AppSec Accelerator, specifically.

Benefits & collaboration

  • Fully SaaS-based: Mambu purchases external tools exclusively in the form of agile, externally managed services that require no internal resources for maintenance and operation. Although "on-premise" operations would have been a possibility, a cloud-based solution is far more efficient for the processes in a decentralised team.
  • A wide range of analysis tools from a single source: The Checkmarx platform supports standard SAST, IAST and OSA functionalities as well as on-the-fly training for developers. This allowed us to cover all relevant use cases with the standard feature set.
  • Checkmarx CxIAST goes beyond traditional dynamic code analysis. Originally, we looked into a traditional DAST solution, however, the interactive analysis with Checkmarx IAST offers many advantages, including fast and reliable identification, monitoring and reporting of security vulnerabilities during executed software.
  • Supporting all required scans for transition to microservices. A seamless integration of the software security solution into our SDLC was a major challenge due to unexpected time-consuming scans. The Checkmarx team provided extensive support and helped set the course for successful integration into the CI/CD pipeline. As such, SAST and IAST concerns are currently covered by the usage of Checkmarx.
  • A comprehensive application security know-how. From day one we were able to benefit from the solution thanks to a broad portfolio of supporting services, as well as the provided classic DAST services in addition to the in-house technologies SAST, IAST and OSA.

Security posture - enhanced

Mambu has never looked for a quick fix in the area of software security, and from the beginning we looked into building a long-term, robust solution. Having laid a solid foundation, our long-term goal is to consolidate security and the security analysis systems in a centralised knowledge database to further improve the transparency of the overall solution.

I have been asked multiple times how we convinced the stakeholders to have the security matters embedded so well in the SDLC practices and developers to act on it. 

The real answer comes simple but shocking at the same time.

It was not about convincing a quorum, for sure. But to articulate on what we know and probably what we don't know or missing as we have learned a lot from this 1 year long experience. Being a trusted SaaS is earned. We are constantly improving it, security is an ongoing activity which is taken into account in all the SDLC stages where developers are involved. Developers care a lot about the quality, security and functional aspects of their creation. Their engagement was started by making sure there is a common understanding why we are doing it along with the benefits and fueled every time during the project life span with constant updates. 

##

To learn more about containerized infrastructure and cloud native technologies, consider coming to KubeCon + CloudNativeCon EU, in Amsterdam.

About the Author

Alin Burlacu - Banking Engine Champion at Mambu

Alin Burlacu 

Pragmatic, to the point personality and a big fan of KISS mindset. Java developer at core, not religious as I am in favor of the best tool for the job, across the time I have delivered complex technical solutions, green/brown field, for finance sector mostly. While doing my thing as a developer, I felt the need to get more and more involved in leadership, tech support in pre- sales and streamlining development flows of any type. Product companies fit me best. https://www.linkedin.com/in/alinb/

Published Friday, March 06, 2020 7:34 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<March 2020>
SuMoTuWeThFrSa
23242526272829
1234567
891011121314
15161718192021
22232425262728
2930311234