Guide to DAST (Dynamic Application Security Testing)
Your primer for application security testing.
We explain the concept of penetration testing.
Comprehensive overview of vulnerability management.
All the necessary knowledge to get started with DevSecOps
We take a deeper look into securing & protecting your APIs!
All you need to know about keys of unit testing & best practices.
We explore fuzzing and evaluate if it's the next big thing in cybersec.
Anyone who’s bought a car knows that the paperwork is confusing and the process is time-consuming. Software company Fastlane, based in Dallas, created an app that promises to remove the drudgery of car buying for both buyers and auto dealers. The company is currently doing the same for auto insurance companies with its LossExpress product, in a bid to shorten the long and complicated process of having insurance carriers pay for totaled vehicles.
“We want to automate the manual processes for settling totaled claims that used to take as long as 30 days, and condense them down to less than one day,” says Mike Mclaren, CTO for Fastlane.
To help his small development team quickly develop and roll out new features for Fastlane, while staying secure, Mclaren implemented CircleCI, alongside Bright, for application and API security testing.
With a small, hardworking dev team, Mclaren wanted engineers to spend their time focusing on product features, not troubleshooting code. “Deploying features is incredibly important, but we don’t want to be thinking about that all week long during the deployment schedule,” he says.
Instead of worrying about infrastructure, Mclaren decided to bring in CircleCI, which he’d used for previous app-building projects. “CircleCI is one of those products I’ve stuck with for many years across multiple businesses,” he says. “That’s why I’m cool with my own business spending money on it today. I was already comfortable with CircleCI, and I knew how simple and easy it is.”
At the same time, Mclaren also brainstormed ways to ensure data security within the Fastlane app. “We know that auto insurers are very concerned about the security of customer data,” he explains. “We relied on OpenSource DAST scanners, which were not accurate or consistent with our workflows, especially as we built our CI pipeline.”
Automation was a primary focus for Mclaren, adding, “We really liked Bright’s automatic validation of security issues that we hadn’t seen in other scanners. Historically, my team would have to manually dig into each issue to see if it were really there, which was not scalable with our rapid release cycles. Now, we can trust the output, piped into the existing projects we’re putting through CircleCI while avoiding failed builds due to false alerts.”
Fastlane is getting ready to release its very first API, which means the development team is increasing its reliance on CircleCI.
“We’ll have numerous clients integrating with our products, which is amazing – but that also means thinking through every little detail,” Mclaren says. “We have to be super-careful with testing, and with security as well.”
The company is also working on a tool that will help insurers value cars that have been totaled, with payouts due to insurance customers.
“We want developers to spend their time coding these apps, and we want to get them out the door as quickly as possible,” Mclaren says. “With CircleCI, we know we can deploy the apps, without thinking or worrying about infrastructure. With Bright’s security scanner, my developers can also test our APIs for security vulnerabilities, giving us great coverage, all neatly integrated with CircleCI.”
Focusing on the future
By using CircleCI and Bright, Fastlane’s developers can quickly tackle problems without losing focus on app development. “We don’t have to worry about any scripts that need to be run at any given time,” Mclaren says. “And we don’t have to worry about how the Docker containers are going to spin up. I can just pay attention to the things that matter to me, day in and day out.”
When Mclaren and his engineers do need to address an issue, they’ll get notified quickly. “We like being able to tie into GitHub for status checks, and getting notifications from Slack when tests fail,” he says. “And since security is incredibly important, we have Bright integrated into our pipeline, so our developers can detect and fix security issues on every build, long before they hit production, minimizing our technical and security debt.”
Now that engineers can dig deep into the processes that Fastlane’s customers need to be successful, Mclaren can concentrate on Fastlane’s future.
“We’re a tiny shop, and we’ll remain that way even though we’re looking to double our team in the future,” Mclaren says. “When all is said and done, we’ll still operate like we’re tiny, and we’ll use CircleCI to automate testing.”