Since its founding in 2016, Pismo has rapidly gained global recognition for continuing to drive innovation and empowering some of the largest banks, financial institutions, and marketplaces—all while keeping high security and availability standards at the forefront for their digital banking and payment solutions.
The Brazilian-based technology company, which has offices in the United States and the United Kingdom, provides an all-in-one, cloud-native platform for banking and payments processing on AWS. It provides APIs for customers’ web or mobile applications so they can leverage Pismo’s infrastructure as their back end. Using Pismo, banks and financial technology companies are able to quickly launch secure payment solutions.
Since payment applications host a wealth of personally identifiable information, they need to be verifiably secure. Customers repeatedly chose Pismo because they take security very seriously.
In a recent effort to further ensure the security of its software, Pismo brought onboard Ubirajara Aguiar Jr. to build and lead the DevSecOps team. Aguiar immediately stepped up to the plate, assessing the state of application security (AppSec) and identifying areas for improvement.
His recommendations included moving security further left—earlier in the software development lifecycle (SDLC)—and leveraging an AppSec vendor with a more comprehensive and scalable suite of testing types.
“We evaluated AppSec vendors with high ratings from Gartner. As a leader in the Gartner Magic Quadrant, Checkmarx was a strong contender,” said Aguiar.
To narrow down the list of potential vendors, Pismo’s DevSecOps team came up with a list of “must-have” capabilities. For starters, the chosen solution needed to support multiple development languages, offer bi-directional integration with bug tracking tools, create and close tickets automatically, and identify reoccurring false positives. The solution also needed to be developer friendly, with the ability to integrate and automate into developers’ existing tools and processes.
“We always kept our developers in mind when thinking about the new tools,” Aguiar explained. “We wanted the transition to be smooth and transparent and didn’t want them worrying about dealing with tickets or keeping track of cards. We specifically looked for tools that would make our developers’ work easier and more productive.”
Last, but just as important, the tool needed to allow for flexible policies to break the build if high- or medium-risk vulnerabilities were identified.
Checkmarx met the list of requirements and then some, making it the clear winner. The first Checkmarx solution that Pismo invested in was Static Application Security Testing (SAST).
SAST is an enterprise-grade application security testing solution that provides high-speed, fully automated, flexible, and accurate source code analysis to identify security errors that could lead to vulnerabilities in custom code. With the flexibility to run full and incremental scans whenever needed, Checkmarx SAST provides Pismo with comprehensive, highly accurate reports that prioritize vulnerabilities according to their severity, guiding developers on what they need to remediate first. Checkmarx SAST also supports a full list of programming languages and frameworks.
Pismo also invested in Checkmarx Software Composition Analysis (SCA), which integrates with SAST.
Pismo uses SCA in the cloud to provide extensive security coverage for custom and open-source code. With Checkmarx SCA, Pismo is able to uncover vulnerabilities not only in the third-party code that their developers directly use but also vulnerabilities in any dependencies that the third-party code calls on.
Since onboarding the tools, there has been a major shift in Pismo’s security culture. “Developers have been actively using Checkmarx SAST and SCA.” As Aguiar stated, it certainly helps that “the tools are so well integrated into our processes.”
Pismo already has policies in place for Checkmarx SAST. “The teams fix only low-risk issues, and Checkmarx blocks the merge of any new high or medium-risk issues. That’s a great feeling.”
The team is also working hard on the Checkmarx Software Composition Analysis strategy. “We’re now focused on assessing vulnerabilities and giving them one of four ratings: one being most critical and vulnerable; two being potentially vulnerable but not enough information; three being using packages with reported vulnerabilities, but not under vulnerable conditions, and four being using outdated packages with no vulnerabilities,” said Aguiar.
The risk reduction has been so impressive that Aguiar and his DevSecOps team have been able to show Pismo’s Head of Information Security/CISO Leonardo Carmona and business executives the critical metrics and KPIs that show progress since deploying Checkmarx.
“We created a chart plotting risks and vulnerabilities and, at first, there were a high number of issues with high risk. Now, every single one of them is at the zero mark, since they’ve all been fixed,” Aguiar concluded. All in all, “the money we invested in Checkmarx was well spent.”
Pismo is excited to continue working with Checkmarx to keep its applications and customers safe.
To learn more about the challenges and solutions that led to Pismo’s success, download the full case study.