Fast-growing flooring retailer empowers developers to seamlessly integrate AppSec into the SDLC, improving efficiency and application quality

View At-A-Glance Download Customer Story

With Veracode, we have the confidence that our software is secure and – more importantly – our customers have the confidence that our software is secure.

Trey Tunnel

CISO, Floor & Decor

 

Specialty Retailer Floor & Decor Builds Customer Confidence In-Store and Online by Assuring Application Security With Veracode

About Floor & Decor

When it comes to flooring, most people look for comfort, quality, and value. That’s why a growing number of consumers across the U.S. head to their local Floor & Decor store. Headquartered in Atlanta, Floor & Decor is one of Fortune’s 100 fastest-growing companies. One of the reasons for this growth is the company’s focus on creating store experiences that meet the unique needs of each local market it serves.

As Darius Radford, Floor & Decor’s application security (AppSec) architect, puts it, “They make you feel like family.”

Radford, who brings 20 years of information security experience to Floor & Decor, understands that delivering great customer experiences – in-store and online – hinges on secure, high-quality software. When he saw how the company’s development teams weren’t fully utilizing the application security tools at their disposal, he set out to build a more robust DevSecOps program, including developer training and incentives. As a result, AppSec is now integrated early in the SDLC, enabling teams to catch vulnerabilities sooner and reduce the cost of remediation. Ultimately, this is improving developer efficiency, application quality, and customer confidence.

The Challenge

While Floor & Decor’s software development teams focus on delighting customers with cool new features and reliable functionality, Radford’s job is to make sure those customer experiences are secure, from browsing on the company’s mobile app to completing a sale at the in-store point of sale (POS) system. That means finding vulnerabilities before an update is released and building in security best practices as new code is written.

The challenge is bringing security and development together in a unified process. Radford says, “There are so many security tools available, it often results in tool fatigue. We wanted to make security a more natural part of the development process.”

The key was to consolidate on a single, unified AppSec platform that integrates seamlessly with the development environments. But Radford knew to be successful, he also needed to change developer culture around security.

The Solution

It turns out Radford did not have to look far for a solution. When he joined Floor & Decor, Veracode tools were already in place, but they were not being used very extensively. His next move was to confirm that Veracode was still the right choice and, if so, to leverage the platform to the fullest.

After evaluating other application security solutions, Veracode’s Continuous Software Security PlatformTM proved again to offer the most comprehensive solutions. Radford says, “We compared each solution head-to-head, and Veracode stood out as the market leader in application security.” He explains that the IDE Scan feature in Veracode Static Analysis (SAST) was a big factor. “SAST is particularly helpful for testing our website where we can confirm input validation and check for vulnerabilities like cross-site scripting.”

Radford also values that Veracode is one of the first solutions to provide Software Composition Analysis (SCA). Floor & Decor’s development and security teams rely on SCA to uncover vulnerabilities in third-party libraries. This proved especially useful when the Apache Log4j vulnerability was reported. Radford says by using a combination of SCA and development tools like Bitbucket, “We were able to quickly figure out all the places running Log4j and remediate the situation.”

Manual Penetration Testing is also a differentiator for Veracode. “I did not find it in the other packages we considered,” Radford notes. “Having a complete platform just gives us a lot more flexibility.”

Aside from scanning tools, Radford also selected Veracode for its eLearning. “We now leverage eLearning and developer training from Veracode in conjunction with an incentive program, awarding prizes to “rock star” developers who complete the training,” Radford says. “This is a key step in cultivating a security-minded culture across our business.”

The Results

With a comprehensive AppSec program built on Veracode, Radford has been integrating security earlier in the SDLC, using SAST extensively during quality assurance (QA) testing. He says, “Scanning earlier in the QA process allows us to find vulnerabilities sooner, which reduces the time and cost of remediation.”

Radford notes, “Input validation was a problem area, but with Veracode part of the SDLC we’ve seen the number of hours developers spend on input validation go down substantially.”

With the help of eLearning and a coach program, Radford is successfully promoting security best practices across the development organization. “We’ve seen a noticeable shift in the culture of our development teams,” he says. “It helps that the Veracode tools are developer-centric. It’s easier for them to incorporate security into their normal processes, which increases the adoption rate.”

Radford adds, “It also helps that Veracode is accurate. We’ve reduced the number of false positives, which has earned us credibility with the developers.”

Overall vulnerability counts have also gone down now that Veracode is more widely adopted across the development organization. In the case of Floor & Decor’s POS application, SCA identified a number of vulnerabilities in third-party libraries. When the developers investigated further, it turned out those libraries were no longer being used, enabling the POS team to eliminate the libraries and all the vulnerabilities with them.

Improving security across the SDLC results directly in releasing higher-quality applications. Most importantly, it builds customer trust in the digital experience provided. “Our customers are our top priority,” Trey Tunnel, Floor and Decor’s CISO says. “With Veracode, we have the confidence that our software is secure and – more importantly – our customers have the confidence that our software is secure.”

Radford and his team also benefit from spending less time manually testing. “Veracode saves us a lot of time, which frees me up to look at program maturity and to focus on architecture. We’re starting to do more in the cloud, and I’m able to work on using Veracode in our Kubernetes infrastructure.”

“We’re proud to say that when it comes to our applications, we have security covered,” Radford concludes.

Download Customer Story