The centrepiece of Mambu’s product portfolio is a powerful cloud-native platform that is provided as a cutting edge Software-as-a-Service (SaaS) model to customers in more than 60 countries worldwide. Additionally, Mambu customers have access to various best-in-class-services via a vast range of individual specialised connectors via the Mambu Marketplace. Our platform is developed in a modern AWS environment and is designed, developed, validated and maintained by globally distributed teams according to agile practices, and currently comprises almost 7 million lines of Java code.
Introducing a dynamic & static code analysis for security concerns.
Because financial software applications are subject to strict industry and regulatory standards, Mambu is using a dedicated software quality monitoring solution. We regularly conduct extensive penetration tests to identify potential security vulnerabilities, and to secure our platform further, Mambu chose a comprehensive solution to introduce a dynamic and static code analysis into our Software Development Life Cycle (SDLC).
We decided to invest in a dedicated application security solution for two reasons:
- To gain a deeper insight into our own software, and to develop a pool of security-relevant information to better control our security;
- To make it easier for our customers to document the security of our services as part of their audits and due diligence activities.
To ensure a successful integration, a broad, cross-divisional project team was assembled. Based on wishes and suggestions of all stakeholders, the team carried out a comprehensive evaluation of all relevant SAST, DAST and OSA solutions on the market. As a result, Checkmarx's Exposure Software Platform was selected - the hybrid, managed services-based deployment model AppSec Accelerator, specifically.
Benefits & collaboration.
- Fully SaaS-based. Mambu purchases external tools exclusively in the form of agile, externally managed services that require no internal resources for maintenance and operation. Although "on-premise" operations would have been a possibility, a cloud-based solution is far more efficient for the processes in a decentralised team.
- A wide range of analysis tools from a single source. The Checkmarx platform supports standard SAST, IAST and OSA functionalities as well as on-the-fly training for developers. This allowed us to cover all relevant use cases with the standard feature set.
- Checkmarx CxIAST goes beyond traditional dynamic code analysis. Originally, we looked into a traditional DAST solution, however, the interactive analysis with Checkmarx IAST offers many advantages, including fast and reliable identification, monitoring and reporting of security vulnerabilities during executed software.
- Supporting all required scans for transition to microservices. A seamless integration of the software security solution into our SDLC was a major challenge due to unexpected time-consuming scans. The Checkmarx team provided extensive support and helped set the course for successful integration into the CI/CD pipeline. As such, SAST and IAST concerns are currently covered by the usage of Checkmarx.
- A comprehensive application security know-how. From day one we were able to benefit from the solution thanks to a broad portfolio of supporting services, as well as the provided classic DAST services in addition to the in-house technologies SAST, IAST and OSA.
Security posture - enhanced.
Mambu has never looked for a quick fix in the area of software security, and from the beginning we looked into building a long-term, robust solution. Having laid a solid foundation, our long-term goal is to consolidate security and the security analysis systems in a centralised knowledge database to further improve the transparency of the overall solution.
I have been asked multiple times about how we managed to convince the stakeholders to have the security matters embedded so well in the SDLC practices and developers to act on it.
The real answer is simple, yet shocking at the same time.
It was not about convincing a quorum, for sure. But to articulate on what we know and probably what we don’t know or missing as we have learned a lot from this 1 year long experience. Being a trusted SaaS is earned. We are constantly improving it, security is an ongoing activity which is taken into account in all the SDLC stages where developers are involved. Developers care a lot about the quality, security and functional aspects of their creation. Their engagement was won by making sure there is a common understanding why we are doing it, the benefits, and it is continually fueled during the project life span with constant updates.