By Alin Burlacu, Banking Engine Champion in Product, Mambu
As developers of a pure
SaaS platform that serves a rapidly growing global customer base, Mambu faces
strict security and compliance regulations. For proactive identification of
potential security vulnerabilities in our code, Mambu uses the Checkmarx Software
Exposure Platform, provided via the Managed Service AppSec Accelerator.
The centrepiece of Mambu's product portfolio is a powerful
cloud-native platform that is provided as a cutting edge Software-as-a-Service
(SaaS) model to customers in more than 60 countries worldwide. Additionally,
Mambu customers have access to various best-in-class-services via a vast range
of individual specialised connectors via the Mambu Marketplace. Our platform is
developed in a modern AWS environment and is designed, developed, validated and
maintained by globally distributed teams according to agile practices, and
currently comprises almost 7 million lines of Java code.
Introducing a dynamic
& static code analysis for security concerns
Because financial software applications are subject to strict
industry and regulatory standards, Mambu is using a dedicated software quality
monitoring solution. We regularly conduct extensive penetration tests to
identify potential security vulnerabilities, and to secure our platform further,
Mambu chose a comprehensive solution to introduce a dynamic and static code
analysis into our Software Development Life Cycle (SDLC).
We decided to invest in a dedicated application security solution
for two reasons:
- To gain a deeper insight into our own software,
and to develop a pool of security-relevant information to better control
our security;
- To make it easier for our customers to
document the security of our services as part of their audits and due diligence
activities.
To ensure a successful integration, a broad, cross-divisional
project team was assembled. Based on wishes and suggestions of all
stakeholders, the team carried out a comprehensive evaluation of all relevant
SAST, DAST and OSA solutions on the market. As a result, Checkmarx's Exposure
Software Platform was selected - the hybrid, managed services-based deployment
model AppSec Accelerator, specifically.
Benefits &
collaboration
- Fully SaaS-based: Mambu purchases
external tools exclusively in the form of agile, externally managed services that
require no internal resources for maintenance and operation. Although
"on-premise" operations would have been a possibility, a cloud-based
solution is far more efficient for the processes in a decentralised team.
- A wide range of analysis tools from a single source: The Checkmarx platform supports standard SAST, IAST and OSA
functionalities as well as on-the-fly training for developers. This allowed us
to cover all relevant use cases with the standard feature set.
- Checkmarx CxIAST goes beyond traditional dynamic code analysis. Originally, we looked into a traditional DAST solution, however, the
interactive analysis with Checkmarx IAST offers many advantages, including fast
and reliable identification, monitoring and reporting of security
vulnerabilities during executed software.
- Supporting all required scans for transition to microservices. A seamless integration of the software security solution into our
SDLC was a major challenge due to unexpected time-consuming scans. The
Checkmarx team provided extensive support and helped set the course for
successful integration into the CI/CD pipeline. As such, SAST and IAST concerns
are currently covered by the usage of Checkmarx.
- A comprehensive application security know-how. From day one we were able to benefit from the solution thanks to a
broad portfolio of supporting services, as well as the provided classic DAST
services in addition to the in-house technologies SAST, IAST and OSA.
Security posture -
enhanced
Mambu has never looked for a quick fix in the area
of software security, and from the beginning we looked into building a
long-term, robust solution. Having laid a solid foundation, our long-term goal
is to consolidate security and the security analysis systems in a centralised
knowledge database to further improve the transparency of the overall solution.
I have been asked multiple times how we convinced the stakeholders
to have the security matters embedded so well in the SDLC practices and
developers to act on it.
The real answer comes simple but shocking at the same time.
It was not about convincing a quorum, for sure. But to articulate on
what we know and probably what we don't know or missing as we have learned a
lot from this 1 year long experience. Being a trusted SaaS is earned. We are
constantly improving it, security is an ongoing activity which is taken into
account in all the SDLC stages where developers are involved. Developers care a
lot about the quality, security and functional aspects of their creation. Their
engagement was started by making sure there is a common understanding why we
are doing it along with the benefits and fueled every time during the project
life span with constant updates.
##
To learn more about
containerized infrastructure and cloud native technologies, consider coming to KubeCon + CloudNativeCon EU, in
Amsterdam.
About the Author
Alin Burlacu - Banking Engine Champion at Mambu
Pragmatic, to the point personality and
a big fan of KISS mindset. Java developer at core, not religious as I am in
favor of the best tool for the job, across the time I have delivered complex
technical solutions, green/brown field, for finance sector mostly. While doing
my thing as a developer, I felt the need to get more and more involved in
leadership, tech support in pre- sales and streamlining development flows of
any type. Product companies fit me best. https://www.linkedin.com/in/alinb/