Playtech has numerous code analysis solutions in place and is familiar with the capabilities of the solutions in the marketplace. The biggest disadvantage of other tools was the requirement to scan compiled code. Playtech wanted a solution that was capable of running the scans during the development lifecycle in order to achieve a true SDL and none of the other solutions supported that. The ability to easily customize the rule sets to enforce Playtech's security policy was another thing that proved difficult with other solutions and was a non-issue using Checkmarx's open query language.
The Checkmarx selection
The security team at Playtech loves Checkmarx because of the flexibility and independence it provides them to do their job. Being a small security team within such a large company, the task of staying up to date with the ever growing code base is a great challenge. Using compilation based SAST tools required achieving a build and compilation errors in the process of achieving a build consumed a lot of precious time of the security team and often required assistance from the R&D team.
Checkmarx automatically charts the data flow in the application and suggests the optimal remediation points, which significantly reduces the mitigation efforts of the R&D. In addition, the ability to write custom queries for the Playtech's various purposes (no necessarily all security related) is priceless. Another excellent byproduct of implementing a true SDL is that the developers are automatically trained in writing secure code because they get immediate feedback detailing the security vulnerabilities found in their code. The developers say they find it is more effective than any other training they've done.
The Implementation
Playtech started small. Their objective was to start scanning a few smaller projects using Checkmarx.
Running on a few projects for a few months, Playtech saw the outcome was successful. Both the security team and the developers are finding the solution useful and easy to use so the implementation was expanded to larger projects. At the moment Checkmarx scans more than 90% of the projects and keeps
growing. Every developer has the IDE plugin suitable for them (Visual Studio, Eclipse) and are a lot more cooperative because they get the security findings while everything is still fresh in their mind. It's very easy to use. Even new developers don't need any training. It's all in their IDE which they are used to anyway. Every medium / high severity bug is automatically entered into JIRA bug tracking.
The Bottom Line
Checkmarx proved to be of great benefit to Playtech's infosec team with the implementation of the SDL. The scan results for the major coding languages are incredibly accurate. Support levels are unbelievable. The solution is highly flexible and is easily customized to the company's ever changing requirements.
“Checkmarx is loved by both our infosec team and our developers. It is easy to use and provides highly accurate results combined with the flexibility we need to enforce our application security policy.”