Protecting Customer Data Without Delaying Software Deployments

Naranja needed to implement strong security controls for applications while retaining the ability to deploy new features fast in order to meet customer needs. Customers who rely on Naranja for credit card and other financial services continue to receive new features quickly with the assurance that their sensitive data is always protected. 3XM Group helped Naranja answer the challenge by providing automated processes to implement and test security controls along with best practices for enhancing the software development lifecycle.

Cyber security.Digital padlock icon,Cyber security technology ne

key deliverables

  • Improved security posture of financial service applications migrated to Amazon Web Services.
  • Accelerated security implementation and testing through automated security controls.
  • Streamlined analysis of code, merged branches, and the status of jobs in CI/CD pipelines.
  • Increased visibility over application security metrics to confirm testing results before deployment.
  • Enhanced software development lifecycle through the application of best-practice processes.

tools & technologies

  • Gitlab CI 
  • Python and Shell Scripting 
  • MongoDB 
  • Docker
  • Flask (Python Web Microframework)

We utilize the Agile software development model, which means our website applications go through rapid changes and frequent production releases as we continuously enhance multiple features. It’s also critical that security controls do not
impact application performance. Allata has proven both their technical knowledge and their project management skills.

Santiago Fernandez, Chief Information Security Officer

The Challenge

Strengthen Security and Keep Application Development On-Time

As the leading credit card issuer based in Argentina, Naranja has been driven by a customer-oriented focus for more than 25 years to make life easier for customers and merchants as they transact business. The company has expanded its portfolio in recent years to include additional online financial services such as personal loans. As Naranja started migrating its cloud environment to Amazon Web Services,
Santiago Fernandez—the company’s Chief Information Security Officer — needed to ensure web applications were built with a strong security posture. Application updates with new features for customers also needed to continue to occur rapidly.

While security controls are particularly vital for the financial applications that Naranja develops, the internal software development team needs to make sure customers can easily submit information and transact business with merchants. The Naranja software development team previously used manual assessments to test application security. But as application requirements began to grow rapidly in the
effort to enhance financial services for customers, Naranja needed to define new security controls. To meet this challenge, Fernandez felt Naranja required a dedicated team to accelerate security control
implementation and testing. He decided to look for an external partner.

Just as importantly, [the Allata] team is well-trained at transferring their knowledge to help us improve our development, testing and security skills. We have learned a lot from Allata, and they are
always flexible in the way they approach each task. They collaborate closely with us to make sure we achieve our collective goals.

Santiago Fernandez, Chief Information Security Officer

The Solution

Allata Automates Security Controls

The firm that immediately jumped to the top of the list of possible partners to help Naranja was Allata. Naranja had previously partnered with Allata to provide DevOps consulting services on another
application project. During that engagement, Allata showed Naranja how to implement automated security processes. Based on a combination of the security expertise and the professionalism
of the team, Naranja decided to partner with Allata again. Fernandez is particularly impressed with the team’s past experiences: “Allata offers senior software consultants who have solved similar security challenges for other companies like ours that run customer-facing applications in the cloud.” As Allata security experts work with Naranja software developers, projects are iterated based on the in-scope features, referred to as the minimum viable product. Naranja also runs automated controls and adds them to the non-functional requirements to avoid exposing the company to serious business risks.

For this reason, each scrum team works with a Allata security expert who actively participates in all scrum
ceremonies—sprint planning, daily scrum, sprint review, and sprint retrospective. The scrum team and Allata consultants communicate continuously to determine the required security features.

Partnering with Allata is a big win because no matter how much control a software team might have over the applications, they can always help improve the security posture.Together, we have reduced costs by utilizing free-license, open-source solutions.

Santiago Fernandez, Chief Information Security Officer

The Results

Fast Application Updates Bolstered by Strong Security

As part of the ongoing collaboration with the Naranja software development team, Allata analyzes the security of container images while integrating static and dynamic application testing with CI/CD pipelines. Allata also shares best practices for how to configure web servers, load balancers and orchestrators as well as for monitoring the entire software development process, including the CI/CD server.

With the help of Allata, Fernandez and the internal software development team have increased the security postures of more than 30 Naranja application components in the cloud. Naranja also benefits from improved visibility into application security metrics. And converting from manual to automated security controls has accelerated the time it takes to move application updates into production.

Every piece of code Naranja creates is now analyzed for security by automated tools, and this helps make sure the company protects customer information. Automation is key because the amount of code Naranja handles would be difficult to test manually and still complete projects on-time. The insights Allata has provided into the software development lifecycle have enabled the Naranja team to streamline development and testing processes.

Naranja can also more easily analyze code changes, code coverage and code reviews as well as the status of jobs in each pipeline. Another key benefit is the ability to ensure branch merges are approved. An additional vital process that Allata helped implement is infrastructure monitoring. Naranja can monitor the cloud accounts of each software development team by centralizing information and processing events in its SIEM platform.

We are excited to continue evolving our security
posture, and Allata will play a key role in helping us plan our strategy and achieve our goals.

Santiago Fernandez, Chief Information Security Officer

Innovation starts with a conversation.

Fill out this email form and we’ll connect you with the right person for your needs.