Since its founding in 2016, Pismo has quickly gained global recognition for driving innovation and improving the operational capacity of some of the largest banks and financial institutions, maintaining high standards of security and availability at the forefront of the digital banking and payment solutions it provides to the market.
The technology company, headquartered in Brazil and with offices in the United States and the United Kingdom, offers a comprehensive cloud-native platform for banking and payment processing via Amazon’s AWS cloud platform. Its solution provides APIs for clients’ web or mobile applications so they can leverage Pismo’s infrastructure as their operations back-end. Using Pismo, banks and financial technology companies can quickly bring secure payment solutions to market.
Since payment applications host a large amount of personal information, they must be demonstrably secure, and companies repeatedly choose Pismo because they take security very seriously.
In a recent effort to further ensure the security of its software, Pismo brought on Ubirajara Aguiar Jr. to build and lead the DevSecOps team. Aguiar immediately took control with a comprehensive view of systems development, assessing the state of application security (AppSec) in his organization and identifying potential areas of improvement.
His recommendations included the concept of ‘shifting security left’—considering security from the outset of the software development lifecycle (SDLC)—and seeking an AppSec vendor with a more comprehensive and scalable set of test types for this environment.
“We evaluated the top-rated AppSec vendors, and as a leader in the Gartner Magic Quadrant, Checkmarx was a strong contender in this area”, said Aguiar.
To narrow down the list of potential vendors, Pismo’s DevSecOps team presented a list of ‘must-have’ features. For starters, the chosen solution needed to support multiple development languages, offer bidirectional integration with bug tracking tools, create and close tickets automatically, and identify recurring false positives. The solution also needed to be developer-friendly, with the capability to integrate and automate existing developer tools and processes.
“We always think about our developers when looking for new tools”, explained Aguiar. “We wanted the transition to be smooth and transparent and did not want them to worry about handling tickets or managing cards. We specifically looked for tools that would make our developers’ work easier and more productive.”
Last but equally important, the tool needed to enable flexible policies to break the build if high- or medium-risk vulnerabilities were identified.
Checkmarx met this list of requirements and many others, becoming the clear winner in the comparison. The first Checkmarx solution Pismo invested in was Static Application Security Testing (SAST).
SAST is an enterprise-level application security testing solution that provides high-speed, fully automated, flexible, and accurate source code analysis to identify security flaws that could lead to vulnerabilities in the code. With the flexibility to perform full and incremental scans whenever necessary, Checkmarx SAST provides Pismo’s team with comprehensive and highly accurate reports that prioritize vulnerabilities by severity, guiding developers on what to fix first. Checkmarx SAST also supports a complete list of programming languages and frameworks.
Pismo also invested in Checkmarx Software Composition Analysis (SCA), which integrates with SAST. They use SCA in the cloud to provide extensive security coverage for open source and custom code. With Checkmarx SCA, Pismo is able to uncover vulnerabilities not only in third-party code their developers use directly but also vulnerabilities in any dependencies that third-party code might call.
Since implementing the tools, there has been a significant shift in Pismo’s security culture. “Developers have been actively using Checkmarx SAST and SCA.” As Aguiar highlights, it certainly helps that “the tools are so well integrated into our processes.”
Pismo already has policies in place for Checkmarx SAST. “The teams only fix issues considered low-risk, and Checkmarx prevents new high- or medium-risk issues from being incorporated into the code. It feels great to see this happening.”
The team is also working hard on the SCA strategy using Checkmarx. “We are now focused on evaluating vulnerabilities and assigning them to one of four classifications: one being the most critical and vulnerable; two being potentially vulnerable but lacking sufficient information; three using packages with reported vulnerabilities but not in vulnerable conditions; and four using outdated packages without vulnerabilities”, said Aguiar.
The risk reduction has been so impressive that Aguiar and his DevSecOps team have been able to show Pismo’s Information Security Head/CISO, Leonardo Carmona, and the company’s business executives the critical metrics and KPIs that indicate progress since the implementation of Checkmarx.
“We made a chart tracing risks and vulnerabilities, and initially there was a large number of high-risk issues. Now, each one is at the zero mark, as they have all been corrected”, concluded Aguiar. In summary, “the money we invested in Checkmarx was well spent.”
Pismo is excited to continue working with Checkmarx and keep their applications and clients permanently safe.
To learn more about the challenges and solutions that led to Pismo’s success, download the full case study by clicking here.
