Increasing Vulnerability Resolution by 46% With Bright
Table of Content:
4.Solution
8.Dev-centric DAST Built for enterprise-grade scale & security
Background
In order to build and sustain customer trust and regulatory compliance, ensuring security and privacy is paramount for financial institutions. To achieve these high-security standards, this North American bank invested heavily in application security and already had SCA (Software Component Analysis), SAST (Static Analysis Software Testing), and a legacy DAST (Dynamic Application Security Testing) solution deployed within its security stack.
Despite the bank’s existing security solutions, the increasing demand to deploy applications and APIs was a challenge. The traditional tools in their security stack were not keeping pace. This prompted the bank to search for a modern DAST platform that could meet both their security and development velocity needs.
This case study outlines the selection and successful implementation of Bright Security’s DAST platform by a Fortune 500 bank in North America.
Key facts
With over 200 years of operation, the bank has undergone numerous digital transformations since the beginning of the information age. As a result, the bank has accumulated a significant number of applications, and more recently APIs, that must be tested and maintained by security and development
teams. Furthermore, these applications span many technologies, environments, clouds, and regions.
In such a complex application landscape, deciding to look for an alternative DAST solution is not a trivial undertaking. After evaluating the state and results of its previous DAST solution, the bank decided to seek a modern DAST platform to strengthen its security posture and business continuity.
Application landscape
4,000
web applications
2,000
APIs
600
flagship apps/APIs
in daily customer use.
800
secondary apps/APIs
mainly for internal use
4,600
legacy apps/APIs
spanning customer,
internal, and back use
Challenges
The bank s previous legacy DAST solution ran too late in the SDLC (Software Development Life Cycle) and had a significant false positive rate. By the time the AppSec team reviewed and identified risks and vulnerabilities, they had been deployed to production.
In addition, the legacy DAST scan results clearly showed a problem with API authentication, resulting in low coverage of their attack surface.
Solution
Deploy Bright Security s enterprise grade, dev centric DAST platform to achieve the banks security and development velocity goals based on the following capabilities:
- Run DAST early and continuously throughout the SDLC.
- Minimize false positives to less than 3%.
- Provide clear remediation guidelines to streamline vulnerability resolution.
- Support authentication and reauthentication scanning technology.
Bright s DAST platform met the bank s goals. The platform provides comprehensive scanning capabilities for all authenticated and non authenticated web applications and common API formats, including REST, SOAP, and GraphQL APIs. It significantly improves the bank s ability to secure authenticated applications across multiple levels and steps.
All this is done throughout the SDLC, iteratively, starting from unit tests and in the IDE and going all the way to pre-production and production, with detailed proof of vulnerability and remediation guidelines provided.
In addition, Bright’s DAST is the only solution that offers future-forward security testing for Large Language Models (LLMs) and business logic vulnerabilities. Bright also has the broadest industry coverage of web and API mainstream attacks and tests such as OWASP Top 10, OWASP API Top 10, and OWASP LLM Top 10.
Implementation
The implementation commenced in early 2023, seamlessly integrating the platform into multiple AppSec and development pipelines. Throughout 2023, the bank onboarded critical, flagship customer-facing applications onto the Bright platform, conducting 7000+ scans per month. This was the first step in a phased rollout spanning over 4,000 applications and 2,000 APIs of flagship, secondary, and legacy applications in use both externally and internally at the financial organization.
Bright results
- Bright’s dev-centric DAST approach detects and enables the bank to resolve ~55% of vulnerabilities in the CI stage or earlier, compared to only 5% with the bank’s previous DAST solution.
- Due to fewer vulnerabilities reaching production, the bank is able to remediate high vulnerabilities that did make it to production in <14 days compared to >50 days.
- Due to Bright’s extensive API testing support and authentication capabilities, the scanned endpoint volume increased 4X. Demonstrating that legacy DAST was unable to discover the entire attack surface and left the organization exposed to security breaches.
- With Bright, DAST adoption increased from 17 AppSec professionals to thousands of developers using Bright daily in their IDE.
- Today, all of the bank’s 600 crown jewel applications and APIs are tested iteratively from the unit test/IDE compared to weekly with the previous DAST.
The modern authentication problem
For most financial institutions, 80% of their web applications are behind authentication. All of which are tapping in to authenticated backend APIs in order to facilitate and process customer requests.
Solving authentication for DAST requires significant technical capabilities:
- Identifying authentication elements
- Automated authentication
- Automated re-authentication
In a zero-trust age, application security testing solutions must expertly address the increasingly sophisticated methods implemented by organizations in order to safeguard access to their applications.
Conclusion
This case study highlights the significant benefits a prominent North American bank gained from deploying Bright Security’s DAST platform. The adoption of dev-centric DAST has increased the speed and efficiency of the development and AppSec teams, enabling the organization to strengthen its security posture without sacrificing velocity.
Dev-centric DAST
Built for enterprise-grade scale & security
