“My role is to identify, understand, and communicate threats and mitigations in order to help our development teams protect CGI software,” said Rajesh Subramani, application security engineer at CGI. “CGI uses a variety of tools for application management, including an application portfolio management solution, an open source code quality analysis tool, a cloud-native application protection platform, and several others.”
CGI isn’t unusual in its use of multiple application security testing (AST) tools. A report by the Enterprise Strategy Group, “Cracking the Code of DevSecOps,” notes that over 70% of enterprises are using more than 10 AST solutions.
“Within our U.S. application security testing scope, we have well over 100 software projects underway,” Subramani continued. “With that many projects in development through deployment, all being examined by a spectrum of security testing tools, it was important that we start getting consolidated reports with results in one place.”
There was more than one business priority driving CGI’s decision to provide a single, consolidated view of security-related information from its AST tools. It needed to understand how effective its AppSec tools actually are, as well as gain complete visibility into process and performance across teams. And CGI development and operations teams wanted a centralized view of all issues so they could identify the security activities that have the most impact. Those whose focus is on security, such as Subramani, wanted to be able to identify and prioritize critical issues quickly.
The solution CGI selected to answer those business priorities was Software Risk Manager.