Parkeon Delivers Secure Payment Solutions With Synopsys IAST

Parkeon Logo

Business overview and challenge

Parkeon is a key player in the urban mobility sector and a global provider of parking and transport management solutions. Parkeon offers a unique range of parking control and payment services in 55 countries and more than 3000 cities around the world.

Parkeon develops real-time payment systems suitable for all sales channels—credit and debit cards, mobile phone accounts, prepaid cards, e-purse schemes, and contact/contactless card technology. These solutions are deployed on Parkeon’s own point of sales (POS) terminals, such as curbside parking meters or “pay and display” and “pay on foot” car parks.

The rapid growth of e-commerce and remote (POS) security breaches led Parkeon to increase the security of their applications to the highest possible level, regardless of the deployment’s geographical location.

Parkeon’s IT department chose the Synopsys Interactive Application Security Testing (Seeker) tool to validate end-to-end security and PCI (Payment Card Industry) compliance of their main electronic ticketing and transaction product, ArchiPEL. The Synopsys Interactive Application Security Testing (IAST) tool was chosen due to its unique combination of accurate vulnerability detection, PCI compliance capabilities, integration into development processes, and ease-of-use for developers and testers without security expertise.

We chose [Synopsys IAST] because testers and developers don’t need to invest time or have expertise in order to execute security tasks on a regular basis. [Synopsys IAST] provides correlation between vulnerabilities and impacted source code, saving developer effort."

L. Porchon

|

CISO of Managed Business Service division, Parkeon

Solution evaluation

Parkeon builds complete solutions for payment and offers the possibility to centralize the electronic payment flows on behalf of its clients. Both activities require the overall solution architecture to be compliant to standards and norms in the industry such as PCI-DSS (Payment Card Industry Data Security Standard). 

Parkeon had been using a dynamic application security testing (DAST) tool to validate the security of applications on its integration environment, but that solution was not working out as they had hoped.

The application is developed using agile development methods and is updated in production 5 times per quarter. Security validation needed to be integrated into existing automated processes, and be usable by developers and testers who are not security experts.  

Deployment and benefits realized

While using our IAST tool, Parkeon has identified three key benefits.

First, our IAST tool understands and verifies how data flows through the application, ensuring that the entire system, end-to-end, complies with security standards such as PCI-DSS. It also identifies vulnerabilities in relation to their impact on sensitive data.

Our IAST tool provides testing that helps meet PCI-DSS Section 6 requirements. By automatically tracking critical data, such as credit card information, through various components of the payment chain, Synopsys IAST verifies that there are no vulnerabilities, such as forgotten debug data, insecure manipulation, insecure storage—even temporarily—in file or database, insecure transmission to third parties, and so on, that may compromise it. With our IAST tool, Parkeon can automatically ensure that the overall system complies with security standards at each release.

Second, Synopsys IAST facilitates communication between test and development teams by pinpointing vulnerabilities back to the source code. Unlike other dynamic testing tools, which report vulnerabilities by the offending URL, our IAST tool automatically ties vulnerabilities back to the source code to identify where the fix must be applied. It eliminates false-positives, pinpoints the vulnerable source code, and provides developers with clear remediation advice tailored to the tested application.

Using our IAST tool, Parkeon improved security, reduced the amount of time spent on security testing, and improved communication between security and R&D:

  • Developers focus their time on proven vulnerabilities and source code corrections recommended by Synopsys IAST.
  • Testers gain a clear view of the application’s risk posture in relation to the OWASP Top 10 criteria and Parkeon’s corporate security standard.
Third, our IAST tool improves security awareness and trains developers to exercise secure coding practices as outlined by the OWASP Top 10. By providing a replay of every attack, explaining the business risks, and providing relevant remediation suggestions, Synopsys IAST has helped Parkeon’s test and development teams acquire awareness and training in an ongoing manner, thus improving the security of their code.

[Synopsys IAST] answered our integrations and automation needs. It provides training and knowledge to its users. [Synopsys IAST] is the perfect tool to help us improve our security practice to build excellent software."

L. Porchon

|

CISO of Managed Business Service division, Parkeon

Business Benefits

Synopsys IAST ensures that the entire system, end-to-end, complies with security standards at each release
By focusing on data, Synopsys IAST provides testing for critical data requirements such as those defined in PCI-DSS Section 6.
 
Synopsys IAST facilitates communication between test and development teams
Every vulnerability is automatically linked to the offending source code, with relevant remediation suggestions.
 
Synopsys IAST improves awareness and training for secure coding practices
By teaching developers how to fix problems in their own code, they learn secure coding practices.

Conclusion

Synopsys IAST fits seamlessly into Parkeon’s security automation process, ensuring that their development and testing teams deliver frequent, secure and compliant releases to production while improving productivity and security awareness.