Pismo

 

CUSTOMER STORY

PISMO SECURES ITS SOFTWARE DEVELOPMENT PIPELINE WITH CHECKMARX

 

CUSTOMER STORY

PISMO SECURES ITS SOFTWARE DEVELOPMENT PIPELINE
WITH CHECKMARX

Pismo is a technology company that provides an all-in-one platform for banking and payment processing. Its continuously evolving and innovating to meet the needs of its customers with the most advanced financial processing platform on the market.

“We take security seriously, and our customers rely on us for that. We needed tools that were dynamic enough for our evolving processes—tools that were proven, stable, and scalable. We were thrilled to find Checkmarx, which helped us improve the SLA for identifying and remediating risk, reduce risk and the number of vulnerabilities, and eliminate high- and medium-risk issues.”

– Ubirajara Aguiar Jr., Tech Lead, Red Team/DevSecOps, Pismo

THE NEED

Shift AppSec Further Left and Leverage Developer-Friendly Tools and Processes

Since Pismo is a cloud-native platform operating on AWS, it offers APIs for customers’ web or mobile applications so they can use Pismo’s infrastructure as their back end. Pismo’s customer base—comprised of banks, financial technology (fintech) companies, and non-financial institutions—leverage the innovative technology to quickly launch and scale their digital banking and payments solutions with high security.

To ensure the utmost security for its digital banking and payment solutions, the company brought on Ubirajara Aguiar Jr. two years ago to build and lead the Red Team / DevSecOps at Pismo. He quickly realized that the tools and processes in place and the culture of development security needed some improvement.

THE SOLUTION

Why Pismo Chose Checkmarx

CHECKMARX SOLUTIONS
Checkmarx Static Application Security Testing
Checkmarx Software Composition Analysis
After reviewing eight vendors, Pismo ultimately selected Checkmarx Static Application Security Testing (SAST) and Software Composition Analysis (SCA) since Checkmarx supports multiple development languages, offers bi-directional integration with bug tracking tools, creates and closes tickets automatically, and identifies recurring false positives.
In addition, Checkmarx tools can be easily integrated into developer routines to encourage adoption while minimizing friction or resistance—which is very important to Pismo. “We specifically looked for tools that would make our developers’ work easier and more productive.”

Most importantly, Checkmarx tools allow Pismo’s development team to set policies to eliminate high- and medium-risk code vulnerabilities within their main repositories.

WHY CUSTOMER CHOSE CHECKMARX

After consulting with Gartner to identify potential AppSec vendors, Aguiar reviewed eight vendors, then narrowed it down to three, for a PoC simulating a real development pipeline. Pismo ultimately selected Checkmarx Static Application Security Testing (SAST) and Software Composition Analysis (SCA).

Checkmarx was the vendor of choice since it supports multiple development languages, offers bi-directional integration with bug tracking tools, creates and closes tickets automatically, and identifies reccurring false positives.

In addition, Checkmarx tools can be easily integrated into developer routines to encourage adoption while minimizing friction or resistance—which is very important to Pismo. “We always kept our developers in mind when thinking about the new tools. We wanted the transition to be smooth and transparent and didn’t want them worrying about dealing with tickets or keeping track of cards. We specifically looked for tools that would make our developers’ work easier and more productive.”

Most importantly, Checkmarx tools allow the Pismo’s development team to set policies to eliminate high- and medium-risk code vulnerabilities within their main repositories.

“Checkmarx offers impressive tools that are dynamic enough to handle our many deployments, our many developers, and our many APIs.”


– Ubirajara Aguiar Jr., Tech Lead, Red Team/DevSecOps, Pismo

THE BOTTOM LINE

Established a Robust DevSecOps Program and Reduced Vulnerabilities

The roll-out of Checkmarx took place in phases. “We started by installing the tools, creating the necessary environments, and delivering an initial assessment,” Aguiar said. Onboarding developers also took place in phases. Pismo now has 40 of its 100 developers worldwide, using Checkmarx. As Aguiar noted, onboarding was so easy that some already onboarded themselves.

Time to remediation and streamlined reporting have been the major advantages. “We could settle our SLA to just 14 days for remediating any SAST vulnerability.” And it’s easy to show the CISO and business executives critical metrics and KPIs “We created a chart plotting risks and vulnerabilities and, at first, there were a high number of issues with high risk. Now, every single one of them is at the zero mark” Aguiar concluded. In a short period of time, our founders and directors knew that the money we invested in Checkmarx was well spent.”

Pismo worked with Checkmarx partner, NOVA8, to help deploy and provide professional services for the new tools. “Nova8 is a valued partner,” said Aguiar.  “Whenever we need them, they are there to help us. They have a great knowledge base, seasoned professionals that have been through many different deployments and have helped us solve for issues that we could not imagine solving ourselves.”

Pismo’s AppSec solution, Checkmarx SAST, is hosted on an AWS environment provided by Checkmarx, and it connects to the Pismo development environment via a secure VPN. Using Checkmarx SAST on AWS helped Pismo achieve a seamless deployment.

Eliminated high- and medium-risk vulnerabilities
Improved Pismo’s security culture
Reduced number of unpatched vulnerabilities
Lessened time to remediation

PISMO DEVELOPERS LOVE USING CHECKMARX APPSEC SCAN TOOLS

Improved Pismo’s security culture
Eliminated high- and medium-risk vulnerabilities
Reduced number
of unpatched vulnerabilities
Lessened time
to remediation

INTERESTED IN LEARNING MORE?

For additional details on how Pismo further secured its applications
with Checkmarx, check out the full success story.
Skip to content