"Netsparker are not just another vendor from where we purchase any other software, they are like business partners. We have to trust their products do a good job to ensure the security of our cloud-based platforms, else our business' reputation could on the line. And Netsparker have earned such trust." - Jade Ohlhauser, CTO, RPM Software
Who is RPM Software?
RPM Software develops cloud-based process management software to businesses operating in industries such as telecommunications, construction, oilfield services and the government. It has been operating since 2001 and is based in Calgary, Canada.
The Web Security Challenges RPM Software Faced
Ensuring the Cloud-Based Software is Secure
As a cloud-based software developer and provider, RPM Software is responsible for the sensitive data their customers store on their solutions, hence they cannot afford to take web application security lightly, as Mr Jade Ohlhauser RPM Software CTO explains "Our entire business is our hosted platform and depends on our reputation as a trusted keeper of data. If we lose the confidence of our customers our entire ability to operate would be in jeopardy. "
Shouldn't every business take web application security seriously? Granted, though the challenge for cloud-based software developers and providers is much bigger than it sounds. Cloud-based software, or as also known Software as a Service is a collection of complex web applications that are available 247 for the customers to use. So the task is not as simple as scanning a single website. You need a solution that can easily scale up, identify all the possible attack surfaces and help you automate as much as possible.
Keeping Up the Pace of Development While Keeping Costs Down
In the early days, the RPM Software team used to do manual web security audits and also hire third party professional help. Though as the business grew, new features were added and the solutions became more complex, things easily got out of hand.
"We could not keep on depending solely on manual penetration testing because of new features and frequent product updates. Therefore we needed an automated solution so not to hold back the products' growth, yet at the same time allowing us to properly test new functionality and improvements, and ensuring they do not have any unintended security consequences," said Mr Ohlhauser. "We also needed to start doing the web security audits ourselves. We couldn't depend anymore on third party assistance because it is expensive and rightfully so, they have other customers hence they are not always readily available."
The Solution: A Scalable & Online Automated Web Vulnerability Scanner
After evaluating several solutions RPM Software decided on Netsparker. Originally they started using Netsparker Desktop but now switched to Netsparker Cloud because as RPM Software CTO explains "the cloud account can be used from any machine and does not require managing local software."
Though it is not just the ease of use that got the RPM Software team hooked on Netsparker Cloud. "Netsparker's ranking and detailed information on the vulnerabilities that are found make acting on the results efficient. For example, Netsparker finds various things on our application that are marked as the lowest threat level. Most we won't act on, but it's good to know they are being checked and introduces us to things we may not have known. When there is a more serious vulnerability, the detailed test results and links to further information have simplified resolving the issues."
Netsparker Cloud Saves the Day
The RPM Software team use development and operational best practices, hence they never had to deal with a critical vulnerability. Though Netsparker did once identify a cross-site scripting vulnerability in one of the services' error pages, on the staging website.
Hats off to RPM Software for leading by example and always double checking and testing their code both in a staging environment and when it is live. Should such vulnerability have made it to the live service, the consequences could have been different. Prevention is better than cure, and that is exactly what RPM software are doing here; scan their web applications for vulnerabilities and ensure they are secure before migrated to a live environment, rather than dealing with a successful hack attack.
The Future Is With Netsparker Cloud
RPM Software has been trusting Netsparker's dead-accurate scanning technology since 2010 and they have no intention of going anywhere else, because we have earned their trust. "Netsparker are not just another vendor from where we purchase any other software, they are like business partners. We have to trust their products do a good job to ensure the security of our cloud-based platforms, else our business' reputation could on the line. And Netsparker have earned such trust," concluded RPM Software's CTO Jade Ohlhauser .