YIT (Yedioth Information Technologies) is a leading IT company and software house, specializing in internet and mobile solutions. Established 15 years ago as the IT arm of Yedioth Aharonoth Group, in order to supply technology solutions to the entire Group, YIT extensive experience drove its expansion to deliver same expertise to various market leading customers.
Among company’s customers are YNET, Calcalist, Daka90, Israel’s intelligence , AllJobs, Gindi Holdings, Citizen’s Empowerment Center In Israel and World Jewish Heritage”
YIT has acquired Checkmarx’s CxSAST solution just a few months ago and have immediately implemented it as part of their security review process. Starting off with a single project less than 2 weeks after the purchase YIT have quickly adapted Checkmarx’s solution and is currently scanning tens of different projects on a regular basis.
As YIT are next door to Checkmarx’s offices in Tel Aviv, I decided to go there in person to hear from them directly about their experience with Checkmarx. I met with Yair Glikman, one of YIT’s development managers and Ilan Norman the Head of Security.
At first I asked about the implementation process and how quickly were they able to get the system up and running.
“As with most complex technical solution, there were a few hiccups upon initial setup however that was quickly and efficiently addressed by the technical support staff at Checkmarx” said Yair Glikman.
Since implementation, which took less than two weeks, YIT have been using CxSAST to scan multiple languages includign Mobile code and additional languages are planned to be scanned in the short term.
Yair is in charge of implementation and management of the platform from R&D perspective and he explained how they use the solution today. Each project is automatically pulled directly from the source code repository and scanned by CxSAST. Both Git and TFS are used for different projects and CxSAST is connected directly with both.
Results are automatically delivered to team leaders of each group and evaluated. Team leaders then assign fixes to the relevant developers.
A decision making group is assigned to decide regarding what lower level vulnerabilities have to be addressed however there is a clear agreement between security teams and development teams said that code will not be released to production with vulnerabilities ranked as high severity.
YIT employ very high level developers and engineers resulting in top notch code. Looking at the Project severity graph you can see relatively good results which portray the code quality and clear coding guidelines. Nevertheless YIT still decided to add additional layers to cover items which the human eye may have missed.
Being a favorite target for cyber-attacks, YIT employs multiple layers of security on their hosting network and software including WAF, Dynamic testing tools and some additional layers which they prefer to keep confidential.
The full Case Study is available here
Latest posts by Amit Ashbel (see all)
- ROI of Shifting Left - February 9, 2017
- Do Hackers Use Source Code Analysis? - April 27, 2016
- White Box vs. Black Box Testing Tools: How Would You Treat Your Symptoms? - March 28, 2016