How ABC Fitness Solutions continuously manages its attack surface as it grows globally

ABC Fitness Solutions is the largest fitness technology company in the world and the only company on the market that provides software solutions for fitness businesses of any size, anywhere in the world. The organization serves 104 countries across North America, LATAM, and Europe, has 38 million active members across its portfolio, and has a $9.5 billion annual payment processing volume.

Organic growth and strategic acquisitions have resulted in ABC Fitness having new offerings. Today, the organization has 15 websites that it must maintain and secure. These websites need monitoring for business-critical vulnerabilities and security issues as soon as they occur.

To meet its growing demand, the ABC Fitness Technology team wanted to scale and explore new ways to optimize each of its web assets by identifying any possible security vulnerabilities and continuously keeping up to date with possible attack surface changes.

"Our accelerated growth and global scale meant we wanted an evolved way of identifying security vulnerabilities across our company websites. We knew we needed to find a robust solution," says Gary Badstebner, Enterprise Security Architect at ABC Fitness. "The more technology platforms we acquired, the greater the need became."

Discovering unknowns across the attack surface

ABC Fitness initially considered several DAST solutions to meet their needs when evaluating tools, but Detectify's asset discovery and external attack surface management capabilities stood out.

The organization uses a combination of Detectify’s Surface Monitoring, which offers a powerful way for ABC Fitness to find things they didn't know existed, alongside Application Scanning, allowing them to find business-critical vulnerabilities through payload-based testing.

"The solution helped us identify new possible security vulnerabilities; some were in our blind spot," says Gary. "And as [Surface Monitoring] evolves, more and more stuff is being found."

In particular, Surface Monitoring helps the organization control the different technologies across all 15 of its websites. "Using Surface Monitoring identifies what technologies each of our acquisitions has, the versions of the technologies and if they're outdated, or if we need to consolidate or switch technologies across our different organizations so that we're aligned as an enterprise," says Gary.

Alongside its product uniqueness, the level of customer support was also a big draw to Detectify. "Detectify was one of the ones that, through the interview process, we could tell that they were engaged, and that showed through with their support," says Andrew Kerr, Manager of Corporate Information Security at ABC Fitness.

"Using Surface Monitoring identifies what technologies each of our acquisitions has, the versions of the technologies and if they're outdated, or if we need to consolidate or switch technologies across our different organizations so that we're aligned as an enterprise"

Simple implementation

"Implementation was simple, thanks to the help of Detectify's Technical Success team. With Surface Monitoring, you turn it on, and it works," Gary says.

Surface Monitoring only requires users to verify ownership of a single Apex domain to get started. Users can also connect directly with AWS Route 53 or upload a zone file through the solution. Organizations with many websites and domains like ABC Fitness can quickly start discovering vulnerabilities across their digital footprint rather than spending weeks in complicated onboarding workflows.

ABC Fitness used Detectify's recorded login feature to ensure that each website is scanned in value areas behind authentication. Detectify's Technical Success team then helped fine-tune the settings for their scan profiles.

Managing the workflow of 300 developers

With 300 developers globally, a flexible solution was required to triage security vulnerability information to the right teams at the right time. Using the Jira integration, any vulnerability data Detectify discovers is pushed into a Jira ticket in a customizable way to align with how ABC Fitness works with security vulnerability data. Teams can then look at their Jira backlog and work directly with Jira tickets that contain detailed information about the vulnerability such as where and how it was discovered, evidence data, and reference links, all without the need to access the Detectify tool.

Having this information in Jira tickets also means it's easily shareable by all developers and is crucial to help speed up their workflows. Looking forward, ABC Fitness plans to use the Detectify API for automated reporting and utilizing integrations by pushing notifications into Slack. Detectify can integrate with 100s of tools, including vulnerability management (VM) platforms or threat intelligence tools.

Ensuring security policies are enforced

ABC Fitness ensures that no unauthorized technologies are on their attack surface and that the technologies they're hosting are up to date. Attack Surface Custom Policies is one of the features that the organization uses to reduce the risk of vulnerabilities through its combination of rules and alerts. This helps the organization understand if and when, for example, a technology comes online, or a new port opens.

"If things change, we know right away. The team stays up to date and ensures we stay on top of any configuration changes," says Gary. ABC Fitness gets notified quickly and can shut things down if a flaw has been discovered in a configuration.

They also benefit from the detailed Overview page and reporting, which is particularly helpful for monthly CISO and quarterly board meetings. Teams can easily extract relevant metrics for these meetings and quickly show the value of Detectify.

The ABC Fitness team also has weekly check-ins with Detectify, where spot-checking and implementation recommendations are on the agenda. "The ABC Fitness security teams are experts and clearly understand their security goals, so we can work together to achieve these outcomes," says Wes Crowell, Customer Success Manager at Detectify.

"Detectify was one of the ones that, through the interview process, we could tell that they were engaged, and that showed through with their support"

A security tool that provides real business value

The real business value Detectify brings to ABC Fitness is that it provides the value of security to its clubs and clients. By using Detectify, the organization can prove to prospective and existing customers the types of scanning and testing that occur and at what frequency, all aspects that often come up in client security questionnaires. "We can use Detectify to show that we cover many of those bases," says Gary. "It helps to keep us from getting security problems that appear on [our clubs'] systems, keeps our business running smoothly, and supports our customers better," he continues.

When allocating the budget to security tools, the organization has found success in looking at security on a project basis. ABC Fitness's 'Application Security Uplift Project' is a program that aims to improve the security posture across the board of application security. Detectify is one of the components to help with this. "A strong security posture is our overall main driver of budget allocation," says Andrew.

"If anybody ever asks me if I know a good DAST solution, I always tell them to look into Detectify," says Gary. Asked what he likes best about Detectify, Andrew says, "It's the responsiveness and the willingness to help. Many vendors aren't as great and easy to work with as Detectify."