SlideShare ist ein Scribd-Unternehmen logo

Case Study: How Playtech integrates Checkmarx for a secure SDLC

Checkmarx
Checkmarx

As a leader in its field, Playtech continuously acquires new companies and integrates new technologies into its platform. As a result, the company has a diverse code base consisting of millions Lines of Code (LoC) across a wide range of products. With over 1,000 developers in its R&D team and practically all major coding languages being used by its developers, including .NET, Java, Python, Perl, C++, HTML5, and Objective C, the task of performing code analysis has become a challenge. Enter Checkmarx.

1 von 2
Downloaden Sie, um offline zu lesen
The Requirements and integrates new technologies into its platform. As a result, the company has a diverse code base consisting of millions Lines of Code (LoC) across a wide range of products. With over 1,000 developers in its R&D team and practically all major coding languages being used by its developers (e.g .NET, Java, Python, Perl, C++, HTML5, Objective C) the task of performing code analysis has become a challenge. Playtech places a lot of emphasis on application security. The company implements a structured Secure Development Lifecycle (SDL) methodology, whereby software security is taken into consideration in every step of the SDLC – namely –during the requirements, design, implementation, development & QA phases. Playtech has been using automated code analysis from the very early days of the company with security bugs being given equal importance and treatment as any other bug. PLAYTECH CHECKMARX’S Case Study Overview COUNTRY: Mannin (Britsh Island) INDUSTRY: Online gaming , gaming sofware web site: www.playtech.com PROFILE: Playtech is the world's largest online gaming software supplier traded on the London Stock Exchange Main Market, solutions to the industry's leading operators. Since Playtech's inception in 1999, its approach has been centered on the continual development of best-of-breed gaming products and content, and its success built upon strong partnerships with our licensees. SOLUTION: Playtech's product suite can be fully integrated into a complete cross-platform broadcast, mobile and server-based gaming terminals through a single account. Leading online gaming applications include online casino, poker, bingo, sports betting, live gaming, casual Due to the complex software development environment Playtech operates, an automatic Static Application Security Testing (SAST) solution must be used during the development phase to scan the entire code base. The tool must be exible enough to enable Playtech to enforce its security policy and various regulatory requirements. Each scan consists of a minimum of hundreds of thousands LoC and results accuracy and scan time performance are key considerations so the critical development work is not interrupted. Playtech developed its own application security standard which is an extension of the OWASP Top 10 SANS 25 standards. The company is also certied to ISO 27001 PCI DSS standards and complies with hundreds of rigorous regulations set by the countries it operates in which audit Playtech frequently.
The Alternatives The Checkmarx selection Playtech has numerous code analysis solutions in place and is familiar with the capabilities of the solutions in the marketplace. The biggest disadvantage of other tools was the requirement to scan compiled code. Playtech wanted a solution that was capable of running the scans during the development lifecycle in order to achieve a true SDL and none of the other solutions supported that. The ability to easily customize the rule sets to enforce Playtech's security policy was another thing that proved dicult with other solutions and was a non-issue using Checkmarx's open query language. The Implementation Playtech started small. Their objective was to start scanning a few smaller projects using Checkmarx. Running on a few projects for a few months, Playtech saw the outcome was successful. Both the security team and the developers are nding the solution useful and easy to use so the implementation was expanded to larger projects. At the moment Checkmarx scans more than 90% of the projects and keeps growing. Every developer has the IDE plugin suitable for them (Visual Studio, Eclipse) and are a lot more cooperative because they get the security ndings while everything is still fresh in their mind. It's very easy to use. Even new developers don't need any training. It's all in their IDE which they are used to anyway. Every medium / high severity bug is automatically entered into JIRA bug tracking. The security team at Playtech loves Checkmarx because of the exibility and independence it provides them to do their job. Being a small security team within such a large company, the task of staying up to date with the ever growing code base is a great challenge. Using compilation based SAST tools required achieving a build and compilation errors in the process of achieving a build consumed a lot of precious time of the security team and often required assistance from the RD team. Checkmarx automatically charts the data ow in the application and suggests the optimal remediation points, which signicantly reduces the mitigation eorts of the RD. In addition, the ability to write custom queries for the Playtech's various purposes (no necessarily all security related) is priceless. Another excellent byproduct of implementing a true SDL is that the developers are automatically trained in writing secure code because they get immediate feedback detailing the security vulnerabilities found in their code. The developers say they nd it is more eective than any other training they've done. The Bottom Line Checkmarx proved to be of great benet to Playtech's infosec team with the implementation of the SDL. The scan results for the major coding languages are incredibly accurate. Support levels are unbelievable. The solution is highly exible and is easily customized to the company's ever changing requirements. Checkmarx is loved by both our infosec team and our developers. It is easy to use enforce our application security policy. Kobi Lechner Information Security Manager Playtech

Empfohlen

IGT Projects
IGT ProjectsIGT Projects
IGT Projects
Marija Blanusa
 
Frameless vr
Frameless vrFrameless vr
Frameless vr
Frameless Adventures Ltd
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 

Empfohlen

IGT Projects
IGT ProjectsIGT Projects
IGT Projects
Marija Blanusa
 
Frameless vr
Frameless vrFrameless vr
Frameless vr
Frameless Adventures Ltd
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
Checkmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 

Weitere ähnliche Inhalte

Mehr von Checkmarx

Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 

Mehr von Checkmarx (9)

A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 

Case Study: How Playtech integrates Checkmarx for a secure SDLC

  • 1. The Requirements and integrates new technologies into its platform. As a result, the company has a diverse code base consisting of millions Lines of Code (LoC) across a wide range of products. With over 1,000 developers in its R&D team and practically all major coding languages being used by its developers (e.g .NET, Java, Python, Perl, C++, HTML5, Objective C) the task of performing code analysis has become a challenge. Playtech places a lot of emphasis on application security. The company implements a structured Secure Development Lifecycle (SDL) methodology, whereby software security is taken into consideration in every step of the SDLC – namely –during the requirements, design, implementation, development & QA phases. Playtech has been using automated code analysis from the very early days of the company with security bugs being given equal importance and treatment as any other bug. PLAYTECH CHECKMARX’S Case Study Overview COUNTRY: Mannin (Britsh Island) INDUSTRY: Online gaming , gaming sofware web site: www.playtech.com PROFILE: Playtech is the world's largest online gaming software supplier traded on the London Stock Exchange Main Market, solutions to the industry's leading operators. Since Playtech's inception in 1999, its approach has been centered on the continual development of best-of-breed gaming products and content, and its success built upon strong partnerships with our licensees. SOLUTION: Playtech's product suite can be fully integrated into a complete cross-platform broadcast, mobile and server-based gaming terminals through a single account. Leading online gaming applications include online casino, poker, bingo, sports betting, live gaming, casual Due to the complex software development environment Playtech operates, an automatic Static Application Security Testing (SAST) solution must be used during the development phase to scan the entire code base. The tool must be exible enough to enable Playtech to enforce its security policy and various regulatory requirements. Each scan consists of a minimum of hundreds of thousands LoC and results accuracy and scan time performance are key considerations so the critical development work is not interrupted. Playtech developed its own application security standard which is an extension of the OWASP Top 10 SANS 25 standards. The company is also certied to ISO 27001 PCI DSS standards and complies with hundreds of rigorous regulations set by the countries it operates in which audit Playtech frequently.
  • 2. The Alternatives The Checkmarx selection Playtech has numerous code analysis solutions in place and is familiar with the capabilities of the solutions in the marketplace. The biggest disadvantage of other tools was the requirement to scan compiled code. Playtech wanted a solution that was capable of running the scans during the development lifecycle in order to achieve a true SDL and none of the other solutions supported that. The ability to easily customize the rule sets to enforce Playtech's security policy was another thing that proved dicult with other solutions and was a non-issue using Checkmarx's open query language. The Implementation Playtech started small. Their objective was to start scanning a few smaller projects using Checkmarx. Running on a few projects for a few months, Playtech saw the outcome was successful. Both the security team and the developers are nding the solution useful and easy to use so the implementation was expanded to larger projects. At the moment Checkmarx scans more than 90% of the projects and keeps growing. Every developer has the IDE plugin suitable for them (Visual Studio, Eclipse) and are a lot more cooperative because they get the security ndings while everything is still fresh in their mind. It's very easy to use. Even new developers don't need any training. It's all in their IDE which they are used to anyway. Every medium / high severity bug is automatically entered into JIRA bug tracking. The security team at Playtech loves Checkmarx because of the exibility and independence it provides them to do their job. Being a small security team within such a large company, the task of staying up to date with the ever growing code base is a great challenge. Using compilation based SAST tools required achieving a build and compilation errors in the process of achieving a build consumed a lot of precious time of the security team and often required assistance from the RD team. Checkmarx automatically charts the data ow in the application and suggests the optimal remediation points, which signicantly reduces the mitigation eorts of the RD. In addition, the ability to write custom queries for the Playtech's various purposes (no necessarily all security related) is priceless. Another excellent byproduct of implementing a true SDL is that the developers are automatically trained in writing secure code because they get immediate feedback detailing the security vulnerabilities found in their code. The developers say they nd it is more eective than any other training they've done. The Bottom Line Checkmarx proved to be of great benet to Playtech's infosec team with the implementation of the SDL. The scan results for the major coding languages are incredibly accurate. Support levels are unbelievable. The solution is highly exible and is easily customized to the company's ever changing requirements. Checkmarx is loved by both our infosec team and our developers. It is easy to use enforce our application security policy. Kobi Lechner Information Security Manager Playtech