Case Study: Visma

Preventing subdomain takeovers and receiving fewer false positives

By using Detectify, Visma saw a reduced time in determining security issues, found more relevant findings, and got help with discovering previously unknown security issues in newly acquired companies.

About

Visma is a privately held software company that simplifies core business processes in the private and public sectors.

Location

Headquartered in Oslo, with over 200 local offices

Company size

Enterprise (12,000 employees)

Industry

Software

Visma's set up & security challenges

A remote work setting and many employees at Visma keep their security team busy. Catalin Curelaru, Security Triage Lead at Visma, specializes in infrastructure and product security areas with strong knowledge of security operations.

“We have over 5000 developers, 40 acquisitions per year, over 150 companies at Visma, and employees spread across 37 countries” says Catalin.

Visma has an application security program to increase security vulnerability knowledge and mitigate security risks quickly.

Visma’s security challenges:

  • Subdomain takeovers.
  • Exposed tokens.
  • Legacy systems.
  • OWASP top 10 vulnerabilities coverage.
  • False positives.

Photo by Visma

How Visma benefits from built-in ethical hacker research

Catalin explained that using SAST, DAST tools, penetration testing, and manual assessments is excellent. Still, a bug bounty element was needed as a cherry on top for more excellent coverage and speed in finding the most recent vulnerabilities.

That’s exactly where Detectify Crowdsource comes into play.

"We used other tools before, but we chose Detectify because it helps us reduce false positives and gives us a lot of information from the availability perspective,” explains Catalin.

Ethical hacker knowledge from Crowdsource adds extra value to Visma’s security journey.

“The Bug bounty element is the ultimate layer before all the other layers from the automated tools: from manual assessments, threat modeling, and all the services that you can deliver to the software delivery teams.”

"We chose Detectify because it helps us reduce false positives and gives us a lot of information from the availability perspective"

Complementary to a bug bounty, Visma has a dedicated internal penetration testing team available to all companies inside Visma for an extra security layer.

“We are a big team with a vast amount of public products that need to be assessed. However, with the limited amount of penetration testers in the teams, we cannot cover all the applications from all the security angles. That's why you need Detectify Crowdsource,” explains Catalin.

Detectify products used by Visma

Surface Monitoring - the benefits of continuous updating

To reduce the number of subdomain takeovers, Visma’s teams use Surface Monitoring.

"We have multiple public applications, and we want to be 100% sure that we are free from subdomain takeovers. Detectify helps us achieve that."

Application Scanning - the benefits of low false positives

Visma has been using Detectify for several years now, resulting in a strong working partnership and trends over time. When using Application Scanning, they have seen that Detectify consistently delivers vulnerabilities with a very low false-positive rate. They know they can trust the data coming from the reports and act quickly upon it.

How Visma uses Detectify

Scanning frequency

Visma runs scans weekly and receives all of the security vulnerability findings in one go. The scanning frequency also depends on each team and their scheduled time preferences.

Integrations - Jira and Slack

Visma’s security teams receive all medium and high severity vulnerability findings from Applicationg Scanning and Surface Monitoring in Jira. Each scan profile is set up as a unique JIRA issue to find metrics for all the raised issues, allowing for an exact remediation timeframe and knowing precisely what teams are remediating what issues.

With the Slack integration, Visma gets high severity vulnerability findings alerts instantly and is aware of issues as soon as they are discovered.

Consuming the findings

Visma's teams are independent and have different approaches to consuming vulnerability findings. Development teams have direct access and triage with the help of the security team overseeing the remediation process. Alternatively, the security team conducts triage together with bug bounty reports as it helps to know precisely how to assess the issue quickly.

“It’s our responsibility as a company to be 100% sure that we address critical security issues on time”

Dealing with critical vulnerabilities

Visma is organized into multiple companies. Their security team doesn't have direct access to all servers and environments as each team is responsible for their environments and remediation. The security team's guidance and advice support them. “It’s our responsibility as a company to be 100% sure that we address critical security issues on time,” says Catalin.

Vulnerability remediation

Visma compares the scan profile during the vulnerability remediation process to see if a particular issue is no longer flagged. If a certain issue is addressed, the team deploys the patch and the update into the environment. The issue is then considered to be closed. Catalin explained that at Visma, they also rely on comments to enhance trust between security and other teams

Results

Assessing security issues better and building tools

The reduced time required to determine security issues' validity allows the teams to be more creative and develop new tools and products.

Securing M&A process

Detectify takes an essential part of the DAST process during the M&As at Visma, ensuring the desired security posture. Detectify helps newly acquired companies discover previously unknown security issues. “This is the main ROI when certain development teams get valuable information and can strengthen their security," says Catalin.

Less noise, more relevant findings

Catalin explained that the central realization they had while using Detectify was a decrease in vulnerability findings. He explained that sometimes their teams were concerned about not receiving many results. This meant they received more relevant findings and less noise which ensured teams were doing a great job.

Catalin’s security tips:

  • To use OWASP SAMM bottom up approach.
  • Rely on OWASP best practices.
  • Use multiple tools - SAST, DAST, third party scanning, Red Team/Purple Teaming.

Thanks to Visma

Catalin Curelaru

Security Triage Lead

Visma

Get a free PDF version of this case study

Download and easily share with your security team and organization.