Prophecy International’s Snare Product Improves Its Time to Market Using Veracode and DevSecOps Best Practices

The Challenge

Since Snare was designed to help customers detect cyberattacks, Prophecy International knew that the application itself had to be secure. “Customers weren’t going to leverage an insecure application to address their security concerns,” said Steve Challans, Chief Information Security Officer at Prophecy International. Prophecy needed a solution to protect its application as well as prove to customers that its application was secure. And, just as important, Prophecy needed a solution to help it meet evolving industry security standards and achieve certifications.

The Solution

After weighing the pros and cons of multiple solutions, the Prophecy team decided on Veracode Static Analysis (SAST) to find and fix vulnerabilities in the IDE and CI/CD pipelines and Veracode Dynamic Analysis (DAST) to scan its web applications in QA and production cycles. Veracode not only came highly recommended by industry peers, but also offers a program, Veracode Verified, to help customers achieve the highest level of application security (AppSec).

By enrolling in the program, Veracode customers are able to meet industry compliance and receive formal attestation regarding their level of security. And since Veracode is an end-toend AppSec solution, by selecting Veracode, Prophecy International can add additional scan types to its AppSec program as it matures.

The Results

Prophecy International started using Veracode Static Analysis and Dynamic Analysis for its Snare application in 2016. Developers took to the new tools right away. They started learning more about security best practices – like DevSecOps – and remediation tactics, and soon after they were scanning code weekly with a CI/CD integration using Jenkins and releasing software faster.

After a successful trial with Snare, Prophecy International started using the AppSec scans for its eMite application. Prophecy International even invested in Veracode Software Composition Analysis (SCA) to scan its open source libraries. As Svetlana Sheptiy, Software Engineering Manager and Scrum Master at Prophecy International stated, “Our AppSec program started with just two scans and one application. But the low false-positive rates, remediation guidance built into the tools, and faster time to market has been so helpful that we’ve expanded our AppSec program to include a second application and a third testing type.”

To mature its AppSec program even more and prove its dedication to security, Prophecy International enrolled in Veracode Verified. Prophecy has already achieved the first tier, Standard, and looks forward to working its way up to the third and final tier, Continuous.

Since starting the program, Prophecy International has noticed a considerable competitive advantage. “After the SolarWinds cyberattack, customers have been all the more vigilant about security,” said Challans. “They only want to work with vendors with proven AppSec programs. And with Veracode Verified, we have third-party attestation of our security measures.”

Veracode Verified has also helped Prophecy International meet strict industry and state- mandated cyber regulations and work toward certifications. “Working with the Veracode Verified program helped us prove some of the security activities needed to complete of our International Organization for Standardization (ISO) 27001 certification” Challans stated.

Another major advantage has been the single platform that shows all the Veracode scan results in one place. Developers can see the scan results for static analysis, dynamic analysis, and software composition analysis on the same screen. This enables development teams to easily evaluate the results and implement progress improvement plans.

Going forward, Prophecy International plans to continue on its path to AppSec maturity. Its near-term goals include finding ways to leverage Veracode SCA with its Snare application and achieving the next level of Veracode Verified. Prophecy also plans to further enable its developers to step up as global security leaders and remediation experts. As Sheptiy stated, “We are proud of our developers and proud to say that our applications are Verifiably secure.”