“One future success factor will be Veracode’s artificial intelligence helping fix our findings. AI supporting fixes is a game changer. We have an approved plan for benefitting from AI, and it’s time to roll it out.”
Veracode helps HDI Global SE’s business initiative for security innovation became a measurable reality.
An Introduction to HDI Global & Why the Initiative to Advance Security
Founded over 120 years ago, HDI Global SE is a leading international commercial and specialty insurer. It is headquartered in one of Europe’s most important insurance locations, Hannover, Germany. HDI Global has been a leading insurer for several decades and functions as the Industrial Lines Division of the Talanx Group – Europe’s fifth largest insurance group. HDI Global operates worldwide through foreign branches, subsidiaries, and affiliates, as well as network partners in more than 175 countries.
“HDI Global has a commitment to craftsmanship. On the overall business level, architecture level, development level, we are committed to being proud of what we produce. We are always looking for ways to improve, and security innovations are part of that,” shared Cloud Architect, Phillip Hagedorn.
Recent rules and regulations, such as the EU Cyber Resilience Act and ISO 20022, formed a control framework to measure improvements. In a rapidly evolving world, following ever-changing guidance on securing innovation requires technical agility. That’s why HDI Global picked the following focus for advancing the quality of its craftsmanship.
Why Shifting Security into Software Development Became a Focus
Due to the increased speed and evolving methodologies of modern software development, research shows that automated security measures shifted earlier in the development lifecycle save time and allow scale, ultimately improving security posture. This is why HDI Global chose to automate security in software development as a focus for advancing technical agility. In the past, the way software was developed, security reviews were often a separate step or set of steps, creating cumbersome bottlenecks.
“Security isn’t just tools; it’s a mindset. HDI Global chose to invest the time and energy laying the groundwork for automated security within the software development lifecycle to help us increase agility. Our customers require we have secure software practices in place, so we focused our efforts on having fully automated continuous integration and continuous delivery (CI/CD) processes to increase outputs without decreasing quality,” said Enterprise Architect, Darius Schaper.
Steps Taken to Automate Software Security
With a clear picture of where it was advancing, HDI Global found its previous application security testing vendor lacking in the required reporting features for meeting the company’s vision for an automated, compliant, and measurable future. It was time to pick a new vendor to partner with as HDI Global advanced.
“Veracode’s platform fulfilled our requirements, from security management to the developer. We needed something to look in-depth at both first-party code and third-party dependencies. There’s also the critical mass of Veracode users who form this community around the products that provide custom SDKs for your APIs,” remarked Hagedorn.
As a technical team wanting world-class expertise in advancing the security and agility of its innovation, another aspect beyond scanning became highly important.
“Why Veracode? It’s the whole package. It’s not only the technology; it’s the processes created through the service, the workshops, and the help from highly experienced security professionals,” said Schaper.
After the test case proved they found the right solution, it was time to start onboarding applications, setting policies, and creating dashboards. To measure the right things, you have to ask the right questions. HDI Global worked with Veracode’s team to make sure they were getting things right from the start.
Measurable Risk Reduction Results: Today & Looking Forward
Application security programs aren’t something you can set and forget. They must be nurtured and matured over time. Comparing September 2022 (five months into the program) to September 2023, HDI Global impressively increased the number of closed findings in a month by over 44 percent and the total apps scanned in a month by over 400 percent.
Nils Brenneis, Information Security Manager, shared: “From a security management perspective, the visibility into our software and progress being made through automation are paramount to me for reports to the board. Veracode, as a central tool for our visibility and vulnerability management, is very helpful. I use the reports to establish a baseline, identify areas for improvement, set quantitative goals, and track progress against those goals.”
“We are on track with our vision of full integration in the IDE’s and pipelines. We are working with members from every Agile Release Train to build up the security champions. The processes, training, and tools from Veracode are really helpful. So, software developers can focus more on features and less on the important but tedious tasks,” said Schaper.
Looking towards the future and continued maturity, HDI Global has a few more goals on the horizon.
“As a global enterprise, we’re laying the groundwork for securing future innovation. This enables us to engage with the wider HDI Global secure development community, exchanging insights with branches globally. We’re harmonizing our innovation approach by standardizing tools and processes,” stated Hagedorn.
Hagedorn concludes, “One future success factor will be Veracode’s artificial intelligence helping fix our findings. AI supporting fixes is a game changer. We have an approved plan for benefitting from AI, and it’s time to roll it out.”
Why Veracode? It’s the whole package. It’s not only the technology; it’s the processes created through the service, the workshops, and the help from highly experienced security professionals,
Darius Schaper
HDI Global SE, Enterprise Architect
