Since its founding in 2016, Pismo has quickly gained international recognition for persevering with to drive innovation and empowering a number of the largest banks, monetary establishments, and marketplaces—all whereas preserving excessive safety and availability requirements on the forefront for his or her digital banking and cost options.
The Brazilian-based expertise firm, which has workplaces in the US and the UK, gives an all-in-one, cloud-native platform for banking and funds processing on AWS. It gives APIs for patrons’ net or cell purposes to allow them to leverage Pismo’s infrastructure as their again finish. Utilizing Pismo, banks and monetary expertise firms are in a position to shortly launch safe cost options.
Since cost purposes host a wealth of personally identifiable info, they have to be verifiably safe. Prospects repeatedly selected Pismo as a result of they take safety very severely.
In a current effort to additional make sure the safety of its software program, Pismo introduced onboard Ubirajara Aguiar Jr. to construct and lead the DevSecOps workforce. Aguiar instantly stepped as much as the plate, assessing the state of utility safety (AppSec) and figuring out areas for enchancment.
His suggestions included transferring safety additional left—earlier within the software program improvement lifecycle (SDLC)—and leveraging an AppSec vendor with a extra complete and scalable suite of testing sorts.
“We evaluated AppSec vendors with high ratings from Gartner. As a leader in the Gartner Magic Quadrant, Checkmarx was a strong contender,” stated Aguiar.
To slender down the checklist of potential distributors, Pismo’s DevSecOps workforce got here up with an inventory of “must-have” capabilities. For starters, the chosen answer wanted to assist a number of improvement languages, supply bi-directional integration with bug monitoring instruments, create and shut tickets routinely, and determine reoccurring false positives. The answer additionally wanted to be developer pleasant, with the power to combine and automate into builders’ current instruments and processes.
“We always kept our developers in mind when thinking about the new tools,” Aguiar defined. “We wanted the transition to be smooth and transparent and didn’t want them worrying about dealing with tickets or keeping track of cards. We specifically looked for tools that would make our developers’ work easier and more productive.”
Final, however simply as necessary, the instrument wanted to permit for versatile insurance policies to interrupt the construct if high- or medium-risk vulnerabilities had been recognized.
Checkmarx met the checklist of necessities after which some, making it the clear winner. The primary Checkmarx answer that Pismo invested in was Static Utility Safety Testing (SAST).
SAST is an enterprise-grade utility safety testing answer that gives high-speed, absolutely automated, versatile, and correct supply code evaluation to determine safety errors that would result in vulnerabilities in customized code. With the pliability to run full and incremental scans every time wanted, Checkmarx SAST gives Pismo with complete, extremely correct experiences that prioritize vulnerabilities in response to their severity, guiding builders on what they should remediate first. Checkmarx SAST additionally helps a full checklist of programming languages and frameworks.
Pismo additionally invested in Checkmarx Software program Composition Evaluation (SCA), which integrates with SAST.
Pismo makes use of SCA within the cloud to supply intensive safety protection for customized and open-source code. With Checkmarx SCA, Pismo is ready to uncover vulnerabilities not solely within the third-party code that their builders instantly use but additionally vulnerabilities in any dependencies that the third-party code calls on.
Since onboarding the instruments, there was a serious shift in Pismo’s safety tradition. “Developers have been actively using Checkmarx SAST and SCA.” As Aguiar acknowledged, it definitely helps that “the tools are so well integrated into our processes.”
Pismo already has insurance policies in place for Checkmarx SAST. “The teams fix only low-risk issues, and Checkmarx blocks the merge of any new high or medium-risk issues. That’s a great feeling.”
The workforce can also be working exhausting on the Checkmarx Software program Composition Evaluation technique. “We’re now focused on assessing vulnerabilities and giving them one of four ratings: one being most critical and vulnerable; two being potentially vulnerable but not enough information; three being using packages with reported vulnerabilities, but not under vulnerable conditions, and four being using outdated packages with no vulnerabilities,” stated Aguiar.
The chance discount has been so spectacular that Aguiar and his DevSecOps workforce have been in a position to present Pismo’s Head of Data Safety/CISO Leonardo Carmona and enterprise executives the crucial metrics and KPIs that present progress since deploying Checkmarx.
“We created a chart plotting risks and vulnerabilities and, at first, there were a high number of issues with high risk. Now, every single one of them is at the zero mark, since they’ve all been fixed,” Aguiar concluded. All in all, “the money we invested in Checkmarx was well spent.”
Pismo is happy to proceed working with Checkmarx to maintain its purposes and prospects secure.
Be taught extra
To be taught extra concerning the challenges and options that led to Pismo’s success, obtain the total case examine.
