The portal of electronic biddings Manufacturer automated acceptance of the code with the help of PT Application Inspector

On February 20, 2018 it became known that the electronic marketplace "Manufacturer" created the system of protection of the applications based on technologies Positive Technologies ― PT Application Inspector and PT Application Firewall. Implementation of the analyzer of the source code PT Application Inspector in process of continuous integration (Continuous Integration, CI) allowed to build regular process of acceptance of the code and safe development, and the linking of the analyzer from firewall the level of web applications — to provide protection against operation of the detected vulnerabilities for the period of their correction.

Prerequisites

On marketplace the large Russian and foreign companies make electronic procurement. Manufacturer has own development team which tasks include improvement of service and adding of new functionality. Information security specialists regularly carried out the manual analysis of security of the web application. However at such approach results quickly lost relevance because of regular updates of the portal. With respect thereto there was a need as much as possible to automate verification of the code and to implement it in development process of software.

Solution

PT Application Inspector combines methods of static (SAST), dynamic (DAST) and the interactive (IAST) analysis that considerably reduces the number of false operations. It gives the chance to security experts and to a development team to work only with relevant threats. For check of the found vulnerabilities of PT Application Inspector creates test requests which help to confirm a possibility of operation of these vulnerabilities by the malefactor and also to define attack accomplishment conditions.

Project Results

The platform "Manufacturer" is built based on the microservice architecture consisting from more than 100 independent internal services. Considering so large number of regularly updated services, for automation of process of testing of the source code PT Application Inspector it was implemented in build process of applications by a join path with the system of continuous integration. It allowed to simplify search of vulnerabilities and to reduce time for their verification, correction or patching that finally accelerated development process and deployments of applications. Besides, integration of PT Application Inspector into the firewall of level of the PT Application Firewall web applications provides protection of applications for that time while developers eliminate vulnerabilities in the code.

"Availability and security of the platform which is daily visited by thousands of people is for us a priority. Malefactors constantly improve the methods therefore we looked for such tools which not only will help us to analyze quickly the source code of the application, but also will provide protection against the attacks on error correction time. Integration of PT Application Inspector and PT Application Firewall into a production-environment allowed us to minimize the impact of processes of cybersecurity on the speed of development of new functionality and to provide protection of the portal against modern cyberthreats". Ilya Maltsev, head of department of information security of the trade Manufacturer portal