Playtech has used automated code analysis from the very early days to ensure application security but the task has become increasingly challenging.
Playtech continually acquires new companies and integrates new technologies into its platform and now has over 1,000 developers coding in all major computer languages.
The company needed a code scanning tool that was flexible enough to enable Playtech to enforce its security policy and various regulatory requirements across hundreds of thousands of lines of code.
Playtech developed its own application security standard which is an extension of the OWASP Top 10 and SANS 25 standards.
The company is also certified to ISO 27001 & PCI DSS standards and complies with hundreds of rigorous regulations set by the countries it operates in which audit Playtech frequently.
The time and accuracy of each code scan are key considerations to ensure critical development work is not interrupted, said Kobi Lechner, Playtech’s information security manager.
Most code analysis tools can scan code that has already been compiled, but Playtech needed a tool that was capable of running the scans during the development lifecycle in order to achieve a true SDL.
Playtech was also looking for a tool that enabled developers to customise the rule sets easily to enforce the firm’s security policy.
Read more on code analysis:
- The pros and cons of cloud-based static code analysis tools
- Static code analysis tools gain traction in India as SDL models mature
- Why static code analysis’ benefits go beyond mere VA/PT
- Cloud cost analysis tools shave thousands off AWS bills
- Dynamic code analysis vs. static analysis source code testing
- Analysis: Windows 8 security features improve on Windows 7 security
The only tool the company could find that would scan and analyse source code and make it easy to create custom rule sets using an open query language was the CxSuite from Checkmarx, said Lechner.
“The security team likes the flexibility and independence CxSuite provides them to do their job,” he said.
For a small security team within a large company, the task of staying up to date with the ever growing code base is a great challenge, said Lechner.
“Using compilation based tools required achieving a build and compilation errors in the process of achieving a build consumed a lot of precious time of the security team and often required assistance from the R&D team,” he said.
In contrast, Checkmarx automatically charts the data flow in the application and suggests the optimal remediation points, which significantly reduces the mitigation efforts of the R&D.
“In addition, the ability to write custom queries for Playtech's various purposes, not necessarily all security related, is priceless,” said Lechner.
As a result of being able to implement a true SDL, he said developers are automatically trained in writing secure code because they get immediate feedback detailing the security vulnerabilities found in their code.
Playtech started the implementation of CxSuite by scanning a few smaller projects. This was expanded to larger projects after both the security team and the developers found the tool useful and easy to use.
Checkmarx currently scans more than 90% of the projects, but this keeps growing, said Lechner.
“Every developer has a plug-in for the development environment most suited to their work and they are a lot more cooperative because they get the security findings while everything is still fresh in their mind,” he said.
Checkmarx has proved to be of great benefit to Playtech's infosec team because of the accuracy and flexibility of the tool, said Lechner.