“Security is one of our main pillars and with Veracode on our side, we have the roadmap we need to continue our journey of success."
Veracode helps Inter with its secure development program, reducing scan time and ensuring business agility
After becoming a publicly-traded company, Inter saw immediate growth in its customer base, revenue, and number of employees. Investors and executives were pleased with the growth trajectory and wanted to continue pushing cutting-edge software to customers. But to continue to confidently release new software and protect its growing numbers of customers and investors, Inter’s security and development teams knew that they needed to ramp up their application security (AppSec) program.
As Lucas Bernardes, Director of Data, Security, and Operational Risks at Inter stated, “Despite the challenges related to cybersecurity, we always had the support of executives and stakeholders to develop the new application security program. We were all excited about the company’s growth so we wanted an application security program that could keep pace with our new product and software releases. We had to make sure we chose an AppSec vendor that could integrate and automate their scans into our existing development tools and processes.”
After exploring several solutions, Inter decided on Veracode, specifically static analysis to scan first-party code, dynamic analysis to scan applications in real-time, and software composition analysis to scan for flaws in open source libraries. The main selling points for selecting Veracode were its comprehensive DevSecOps integrations and quality of reporting. Inter appreciated that with Veracode, it could integrate the scans into its existing software development pipeline, and it could use Veracode APIs to integrate with GitLab.
Nathan Marques, Security Architecture, AppSec, and DevSecOps Coordinator at Inter, mentioned that Veracode analytics was also a benefit. “Veracode was a top choice because it provides the best reports about our own code failures, third-party components, and legal risks. It helps you assess what applications are at risk and which ones are safe,” said Marques. “As a rapidly growing company, we want to avoid as many false positives as possible, so this data is huge. Veracode also allows us to be more assertive in deploying controls in pipelines, creating a scalable solution, and focusing the team’s efforts on applications that need more attention, thus helping us show our executives and stakeholders our real improved risk.”
Once the process was in place and developers were scanning their code early and often, the results were tremendous. “We have well over 1,000 deployments a month,” said Bernardes. “But our developers became so efficient that scans went from 16 minutes to less than six minutes.”
Veracode was put to the ultimate test with the release of Inter’s recent smartphone app that is focused on non bank account holders. This version of the app gives non account holders cashback for shopping at designated stores. “With this application, our top concerns – beyond security – were user experience and agility to enter the market. We couldn’t have delays with our software releases because of slow AppSec scans,” Bernardes remarked.
Veracode lived up to its expectations, and Inter is expected to reach BRL3.5 billion in revenue from its marketplace. “We have developed a scalable solution that supports Inter’s growth, ensuring security and reliability in our products,” said Marques.
Looking ahead, Inter is already expanding into international markets. Although international expansion comes with its share of risk, one thing that Inter is confident in is its security. “Brazil’s General Data Protection Law went into effect in August 2020. Veracode has helped us remain compliant from the beginning of product development . We are confident that it can help us meet compliance regulations in other countries as well,” said Bernardes. “With Veracode on our side, we have the roadmap we need to continue our journey of success.”
“We were reluctant to impact our CI/CD pipelines, but Veracode made it possible to achieve security and agility at the same time”