With an already established and mature security program in place, this elevator industry
giant lacked very little when it came to AppSec strategy and innovation. Instead, the
challenge for the solution design owner (the person responsible for implementing
application security services within the organization globally) was his lack of visibility
into existing security activity, success metrics, and reporting on relevant AppSec data,
compliance, and applications from a centralized location.
With varied tools from different vendors in use, reporting and scan results were
available in disparate locations and formats, hindering the comprehensive overview
of security activities needed to gauge efficiency and success. Org X’s solution design
owner found it “very difficult to get an overview of the status of risk in an application.”
On a granular level, it was nearly impossible to determine the security risk posed to any
single application. And from an organizational perspective, it was difficult to assess
overall application security health across the application portfolio as a whole.
Further complicating this challenge, security standards like ISO 27001 and IEC 64334
(an IoT security standard) introduced additional requirements. ISO 27001 mandates
that organizations produce evidence of scanning activity, along with information about
any remediation performed in association with those findings. Org X was required to
demonstrate that it had completed required scans, provide a summary of findings, and
present evidence of investigation into findings that merited remediation activity.
The company’s immediate need was a means of fulfilling these requirements while
also gaining necessary insight into overall security health, success, and efficiency—all
impossible without an automated, centralized source of truth.