Veracode Enables Keap to Find and Fix Security Flaws Faster and Meet Regulatory Requirements

The Challenge

Customers trust Keap to protect their sensitive data. If a breach were to occur, it would not only have devastating effects on the customer, it would diminish that trust. So when Rajesh Bhatia, Chief Technology Officer, started at Keap, one of his first orders of business was to replace their existing application security (AppSec) program with a more comprehensive solution.

Bhatia wanted to find an AppSec vendor that would not only help Keap developers find flaws but also help fix flaws with remediation guidance and support. And since Keap processes payments, it was also important to find a vendor that could help them meet PCI compliance and state regulations.

The Solution

After reviewing several AppSec vendors, Veracode was the clear choice. As Bhatia remarked, “Veracode is the industry expert in AppSec and offers multiple testing types.”

Veracode offers the solutions that Keap was looking for, Veracode Static Analysis and Veracode Dynamic Analysis, and delivers remediation guidance and technical support to help developers swiftly and thoroughly remove vulnerabilities.

Veracode also provides a scalable way to assess applications across multiple standards to achieve and demonstrate compliance with both government regulations and customer requirements.

And, as an added bonus, Veracode is a cloud-native AppSec provider. Corrado Neri, Director of Cloud Operations and Architecture at Keap, stated that Keap is open to on- premises solutions when need-be, but SaaS solutions are preferred. “With SaaS solutions, we don’t need to waste time dealing with servers,” Neri said. “We can use the time saved to increase productivity and add value for our customers.”

Results

Since implementing Veracode, Keap has followed AppSec best practices, like integrating and automating its application security testing solutions into the CI/CD lifecycle. By integrating and automating scans in the CI/CD lifecycle, Keap developers are finding flaws earlier, which has resulted in significant time and cost savings. Developers are also fixing flaws faster with Veracode’s remediation guidance.

Keap took advantage of Veracode’s 30 plus DevSecOps integrations by integrating its Veracode solutions with Jira. Since integrating with Jira, Keap developers are receiving scan results instantaneously – a task that used to take weeks. The integration has also eliminated the need for a Jira administrator. “Since Veracode integrates with Jira, we no longer need someone to enter and assign security tickets to developers. We are able to use that resource for more productive tasks,” said Joseph Mask, Staff Site Reliability Engineer at Keap.

As for PCI compliance and state regulations, both Bhatia and Neri feel that the audits went much smoother now that they have Veracode AppSec. “Our auditors feel good about how things went,” said Bhatia. “Our audits will now be more frequent and much shorter ... which we are very happy about.”

With faster scan times, improved fix rates, and seamless audits, Keap can release new software and make application enhancements even faster than before with total confidence that its code is secure. “We are very happy with the products and services we received from Veracode and we look forward to what’s to come at Keap.”