By the end of 2023, Iguatemi faced a silent but urgent challenge: although they had an AppSec solution already implemented by a previous team, effective vulnerability management was still nascent. Applications were connected to the platform, but usage was superficial and lacked strategic direction.

There was a lack of visibility, alignment with technical leadership, and, most importantly, a structured process to transform data into real risk mitigation actions. The absence of governance over vulnerabilities, coupled with internal restructuring, indicated the need for external support to reclaim the value of the already contracted solution.

Unlocking the potential of the solution

The first meeting between Iguatemi and Nova8 took place at the end of December 2023. From then on, a joint journey began to recover, organize, and optimize the use of the AppSec solution. The work focused on adapting it to the business’s reality, building a DevSecOps model connected to the company’s strategy.

With technical advisory support — especially from the specialized team at Nova8 — it was possible to structure customized scan presets, based on frameworks like OWASP and adapted to the internal applications’ specificities. In about five months, the progress was already tangible.

From visibility to governance

With configurations aligned and the team properly oriented, the major gain became visibility. For the first time, the technical area could clearly understand the risk scenario and present this overview to other organizational areas — including business leadership.

With technical understanding and demonstrations of operational impacts, Iguatemi obtained support to restructure critical applications and implement direct mitigation actions. The maturity achieved elevated the security team’s role within the organization’s digital ecosystem.

Consolidated results

With the restructuring work, the number of monitored applications jumped from 3 to 11. The expanded visibility enabled a coordinated action to address hundreds of critical vulnerabilities. What was once just a contracted solution became a living process integrated into the company’s development cycle.

Next steps

With application security governance established, Iguatemi is advancing on expansion and continuity initiatives. The perspective is to include new applications within the scope and continue improving workflows and integrations, with the ongoing support of Nova8 as a technical partner.

By transforming visibility into Governance and technology into Process, Iguatemi overcame the challenge of implementing an AppSec culture and was able to boost its security maturity, even in challenging and constantly evolving contexts. The experience reinforces that security maturity goes beyond choosing a solution — it requires strategic alignment, technical partnership, and long-term commitment.