Veracode Enables Cox Automotive to Integrate Security Into the SDLC and Increase Speed to Market

“The vision at Cox Automotive is to transform the way the world buys, sells, owns, and uses cars.”

Veracode’s AppSec solution gives Cox Automotive a competitive advantage, and helps improve employee morale and increase customer trust.

The Challenge

In today’s fast-paced world, companies need to be constantly innovating to keep up with the competition. They can’t afford to be bogged down by time-consuming processes. As Naqvi explains, “Engineers and developers are very busy people with high demands on their time. Asking them to spend time on complex integrations or learning about new tools is unrealistic.”

Cox Automotive’s previous AppSec provider was slow which drastically impacted the speed of development processes. Cox Automotive knew that if it was going to keep up with its competitors and provide a positive work environment for its engineers and developers, it had to find an AppSec provider that was easy to use, easy to learn, and easy to integrate.

The Solution

After thoroughly evaluating AppSec vendors, Cox Automotive determined that Veracode was the right provider. It’s not only easy to integrate with Veracode, but Veracode allows for multiple layers of integration within its software delivery lifecycle. Veracode is also known for its fast, accurate scanning.

Cox Automotive is now using the whole suite of tools available through Veracode, including its static analysis, dynamic analysis, and software composition analysis solutions. Cox Automotive is leveraging Veracode’s Artifactory integration for compiled code testing and program management services to improve its application security maturity. In addition, Cox Automotive is using AWS CodeBuild to upload repository code to Veracode and initiate static scans.

The Results

Since partnering with Veracode, Cox Automotive has seen several positive changes. Scans that used to take days with its previous AppSec provider take minutes with Veracode. Sixty percent of scans finish in less than five minutes, and 75 percent finish in less than ten minutes. This drastic reduction in scan time has allowed Cox Automotive to deploy software faster, giving it a competitive advantage in the automotive market.

As for integrations, Cox Automotive developers appreciate that Veracode fits into their current processes, leading to increased AppSec adoption on the development teams. In fact, developers have onboarded over 400 applications into Veracode across Cox Automotive’s brands. With the Artifactory integration, Cox Automotive has further assurance that it is scanning all of its applications. And with the AWS CodeBuild integration, Cox Automotive has increased the feedback loop of application security flaws to developers so that vulnerabilities are remediated prior to production.

Developers’ appreciation of Veracode has resulted in a cultural shift, allowing Cox Automotive “to make security everyone’s responsibility,” not just a siloed function within the security team. Now that developers are taking on more security responsibilities and scanning right in their IDE, fewer flaws are introduced into their code. The reduction in flaws results in less rework and reduces chances of a breach. It also helps to increase customer trust. And at Cox Automotive, customer trust and confidence are of the utmost importance.

“The security of our products and services is very important to us, and Veracode helps us ensure that we never lose our customers’ trust and confidence.”

Tabrez Naqvi
Director of Information Security and Risk, Cox Automotive

About Cox Automotive

Cox Automotive is one of the world’s largest automotive service providers – involved in nearly every aspect of the automotive industry – providing technology, market intelligence, and products and services. Although Cox Automotive is not necessarily a household name, it owns over 20 different brands, including the widely popular Autotrader and Kelly Blue Book, which are used by nearly 70 percent of all car shoppers1.

Tabrez Naqvi, Director of Information Security and Risk at Cox Automotive, states that “the vision at Cox Automotive is to transform the way the world buys, sells, owns, and uses cars.” But to release new software that transforms the automotive industry, Cox Automotive needed a strong application security (AppSec) provider that wouldn’t slow down its software deployment.

Secure Your Software One Line at a Time