As a leader in its field, Playtech continuously acquires new companies and integrates new technologies into its platform. As a result, the company has a diverse code base consisting of millions Lines of Code (LoC) across a wide range of products. With over 1,000 developers in its R&D team and practically all major coding languages being used by its developers, including .NET, Java, Python, Perl, C++, HTML5, and Objective C, the task of performing code analysis has become a challenge. Enter Checkmarx.
Case Study: How Playtech integrates Checkmarx for a secure SDLC
1. The Requirements
and integrates new technologies into its platform. As a result, the
company has a diverse code base consisting of millions Lines of Code
(LoC) across a wide range of products. With over 1,000 developers in its
R&D team and practically all major coding languages being used by its
developers (e.g .NET, Java, Python, Perl, C++, HTML5, Objective C) the
task of performing code analysis has become a challenge.
Playtech places a lot of emphasis on application security.
The company implements a structured Secure Development Lifecycle
(SDL) methodology, whereby software security is taken into
consideration in every step of the SDLC – namely –during the
requirements, design, implementation, development & QA phases.
Playtech has been using automated code analysis from the very early
days of the company with security bugs being given equal importance
and treatment as any other bug.
PLAYTECH
CHECKMARX’S Case Study
Overview
COUNTRY: Mannin (Britsh Island)
INDUSTRY: Online gaming ,
gaming sofware
web site: www.playtech.com
PROFILE:
Playtech is the world's largest online
gaming software supplier traded on the
London Stock Exchange Main Market,
solutions to the industry's leading
operators. Since Playtech's inception in
1999, its approach has been centered on
the continual development of
best-of-breed gaming products and
content, and its success built upon strong
partnerships with our licensees.
SOLUTION:
Playtech's product suite can be fully
integrated into a complete cross-platform
broadcast, mobile and server-based
gaming terminals through a single
account. Leading online gaming
applications include online casino, poker,
bingo, sports betting, live gaming, casual
Due to the complex software development environment Playtech
operates, an automatic Static Application Security Testing (SAST)
solution must be used during the development phase to scan the
entire code base. The tool must be exible enough to enable Playtech
to enforce its security policy and various regulatory requirements.
Each scan consists of a minimum of hundreds of thousands LoC and
results accuracy and scan time performance are key considerations
so the critical development work is not interrupted.
Playtech developed its own application security standard which is an
extension of the OWASP Top 10 SANS 25 standards. The company is
also certied to ISO 27001 PCI DSS standards and complies with
hundreds of rigorous regulations set by the countries it operates in
which audit Playtech frequently.
2. The Alternatives The Checkmarx selection
Playtech has numerous code analysis solutions in place
and is familiar with the capabilities of the solutions in
the marketplace. The biggest disadvantage of other
tools was the requirement to scan compiled code.
Playtech wanted a solution that was capable of
running the scans during the development lifecycle in
order to achieve a true SDL and none of the other
solutions supported that.
The ability to easily customize the rule sets to enforce
Playtech's security policy was another thing that
proved dicult with other solutions and was a non-issue
using Checkmarx's open query language.
The Implementation
Playtech started small. Their objective was to start
scanning a few smaller projects using Checkmarx. Running
on a few projects for a few months, Playtech saw the
outcome was successful. Both the security team and the
developers are nding the solution useful and easy to use
so the implementation was expanded to larger projects. At
the moment Checkmarx scans more than 90% of the
projects and keeps growing. Every developer has the IDE
plugin suitable for them (Visual Studio, Eclipse) and are a
lot more cooperative because they get the security
ndings while everything is still fresh in their mind. It's very
easy to use. Even new developers don't need any training.
It's all in their IDE which they are used to anyway. Every
medium / high severity bug is automatically entered into
JIRA bug tracking.
The security team at Playtech loves Checkmarx because of the
exibility and independence it provides them to do their job.
Being a small security team within such a large company, the
task of staying up to date with the ever growing code base is a
great challenge. Using compilation based SAST tools required
achieving a build and compilation errors in the process of
achieving a build consumed a lot of precious time of the
security team and often required assistance from the RD team.
Checkmarx automatically charts the data ow in the application
and suggests the optimal remediation points, which
signicantly reduces the mitigation eorts of the RD. In
addition, the ability to write custom queries for the Playtech's
various purposes (no necessarily all security related) is priceless.
Another excellent byproduct of implementing a true SDL is that
the developers are automatically trained in writing secure code
because they get immediate feedback detailing the security
vulnerabilities found in their code. The developers say they nd
it is more eective than any other training they've done.
The Bottom Line
Checkmarx proved to be of great benet to Playtech's
infosec team with the implementation of the SDL. The
scan results for the major coding languages are
incredibly accurate. Support levels are unbelievable.
The solution is highly exible and is easily customized
to the company's ever changing requirements.
Checkmarx is loved by both our infosec team and our developers. It is easy to use
enforce our application security policy.
Kobi Lechner
Information Security Manager
Playtech