Micro Focus Fortify on Demand provides affordable, effective application security
Company: Change Healthcare
Change Healthcare runs the largest financial and administrative healthcare network in the United States. Whether for pharmacies, dentists, hospitals, laboratories or other healthcare organisations, the applications developed by Change Healthcare are used to process millions of healthcare transactions across the country.
Prior to August 2015, the company faced a data security challenge familiar to technology companies. Customers were increasingly asking for proof that Change Healthcare's systems were secure and that their patients' data was safe.
Change Healthcare's reputation and the personal information of millions of Americans depended on the security of the company's applications. However, with the processes in place at the time, vulnerability testing was time-consuming and expensive. Today, Change Healthcare tests applications at a fraction of the cost and time it took previously. Fortify on Demand and Micro Focus Fortify WebInspect provide an affordable and effective means of finding and fixing exploitable vulnerabilities much faster than before and without hindering the development process.
In recent years, Change Healthcare has acquired several businesses to grow its range of solutions and diversify its developer expertise. The strategy has opened the door to many new customers, including hospitals, pharmacies and other healthcare providers which use software applications to process prescriptions, create reports and perform other critical tasks.
However, it has also complicated the development process of these applications, multiplying the number of coding languages, environments and standards. Over time, testing the growing number of applications became a recurring issue for the company's developers.
They not only lacked security expertise and application testing processes, but they also used tools that were not always accurate, making it hard to find issues or fix potential vulnerabilities.
"For a long time, we used an application security tool called Checkmarx," says Damien Suggs, application director at Change Healthcare. "But it produced so many false positives that the development teams lost faith in it. They didn't want to deal with it, and they progressively stopped using it as part of their development process."
Another challenge was the amount of time it took to test code for vulnerabilities. Applications were systematically sent to a third-party, cloud-based testing service to ensure that they met Payment Card Industry (PCI) security requirements. But results could take up to a week to come back, making the entire process highly inefficient and leading to ever-increasing testing bills. "The time it took to test code was slowing down developer productivity," says Suggs.
Only some of Change Healthcare's developers were affected, as the company was restricting this testing to applications requiring PCI compliance. To expand the testing to include other types of applications would mean involving more than 250 developers scattered across different countries.
Change Healthcare needed a centralised, co-ordinated method of testing across teams and locations. Together, these challenges jeopardised Change Healthcare's ability to comply with government regulations on the secure use of personal information.
Customers, meanwhile, also required proof that application security assessments were regularly conducted. This was a time-consuming process because of the absence of a centralised repository to store and access these reports.
Speeding up testing
Change Healthcare decided to implement a comprehensive software security assurance program that spanned the entire software development life cycle. The key to this shift was the decision to move to a single cloud-based testing service that was simple and fast enough for developers to voluntarily make it part of their daily schedule.
For Suggs, the key to success lay in making security testing part of the company's routine: "Micro Focus Fortify on Demand really addresses the needs of the developers. It makes sense to them," he says.
Increasing the pace of testing was crucial if developers were to test more code.
In August 2015, Change Healthcare began using Fortify on Demand, an application security testing and risk management platform delivered as a service. Developers are now able to submit an application for testing and receive a report listing potential security issues by criticality, where they appear in the code, and specific remediation recommendations.
Fortify on Demand has a target turnaround of 48 hours for static scans, but most come back in just over six hours. The speed of the solution has allowed Change Healthcare's developers to test and remediate quickly, improving their productivity and reducing the chance of cyber breaches.
Another key benefit of using Fortify on Demand is that the number of false positive alerts has been significantly cut, freeing up valuable time and resources. "If there's a false positive, it's easy to challenge and get it suppressed in future assessments," says Suggs.
Most importantly, Fortify on Demand seamlessly integrated with the development environments the company was already using. Code can now be sent for testing from within Microsoft Visual Studio or from a Jenkins automation server.
Change Healthcare is also using Fortify WebInspect to scan Web applications for weaknesses. This automated penetration testing technology simulates real-world attacks and detects security vulnerabilities, adding an extra layer of security.
"Micro Focus Fortify WebInspect gets into the application and does a great job of detecting security issues," says Suggs. "It finds deeply rooted vulnerabilities, many of which can't be found by other products."
As an added bonus, the Fortify Taxonomy website has become a great resource. It provides developers with invaluable information on known vulnerabilities that may be relevant to their current projects. The site has helped them better understand the types of weaknesses that are likely to affect their applications.
The new approach has dramatically reduced the company's security testing expenses. Despite an increasing number of applications to be analysed, the cost of testing has fallen by 800%. Previously, the company paid by the hour for external software security testing. The bill rose exponentially as more and more applications were tested and went through multiple rounds of revisions. Change Healthcare now pays a subscription fee per application, avoiding any additional charges.
Fortify not only reduces the risk of exposing personal information, it also allows the company to reassure its management that each and every one of the applications that goes through its hands has been thoroughly tested. Internal auditors can now access security reports much more easily than before, making it simple to show hospitals, insurers, the government and other stakeholders that a comprehensive testing regime is in place.
The number of applications tested by Change Healthcare's developers has increased almost tenfold. At the moment, about 150 of the company's developers use Fortify on Demand, and there are plans to extend the usage as more developers are brought on board. This is especially important as the company has a significant merger planned; thousands of new employees could potentially put their processes to the test, pushing the solution's capabilities even further.
"Micro Focus Fortify on Demand has given us the confidence that developers have a handle on all security-related matters," says Suggs. "They know what they need to fix, exactly which part of the code should be changed, and why it needs fixing.
"In short, the solution has completely changed our approach to application security. It has redefined it," he adds.