Unit4 Enhances DevOps and Reduces False Positives with Contrast Application Security Platform

Unit4 is a leading provider of next-generation enterprise solutions that power many of the world’s most people-focused mid-market services organizations. Their state-of-the-art cloud platform, ERPx, delivers unified ERP, HCM and FP&A, combining functionality designed for service-centric industries and a user experience that puts people first. It supports rapid and continuous change while delivering individualized fit for customers at scale, unifying the processes across their organization, and connecting their people. Unit4 serves more than 6,000 customers globally, including Bravida, Havas, Migros Aare, Americares, Save the Children International, Action against Hunger, Metro Vancouver, Forest Research, Southampton City Council, Habitat for Humanity, Selkirk College, FTI Consulting, and Surrey County Council.

In 2014, Unit4, a provider of next-generation enterprise solutions, embarked on a large-scale digital transformation. The company aimed to adopt the DevOps methodology, consolidate various software solutions developed for different markets, streamline application security and quality control efforts, and transition to a cloud-based delivery model for all its products. A centralized quality assurance group was formed to ensure a consistently high level of quality across the entire portfolio. However, each product operated in a silo with its own development and quality assurance functions, using different methodologies and tools. Application security was part of this piecemeal approach. The company had a group of security experts implementing the main security layers at the core-level technical platform level. However, the process was manual and required a lot of customization, which was not sustainable for the company's digital transformation.

Unit4 decided to streamline its application security efforts by deploying Contrast Assess, an application security tool that uses instrumentation to conduct continuous security scanning from within the application. The tool sends an alert with contextual, actionable information whenever a vulnerability is created, allowing the engineer to fix the problem right away without involvement from the security team. This approach enables vulnerabilities to be remediated before additional layers of code are added, making the process less complicated, time-consuming, and costly. Unit4 also integrated Contrast Assess with Microsoft Teams for instant notifications whenever a new critical, high, or medium-severity vulnerability pops up. The tool also allows for application merging, grouping of duplicated vulnerabilities, and just-in-time training for engineers to create more secure code over time.

• The deployment of Contrast Assess has significantly streamlined Unit4's application security efforts. The tool's instant notifications and application merging capabilities have reduced administrative effort and improved the handling of different applications under a unique hood. The reduction in false positives compared with penetration testing has also been a significant benefit. The tool's reporting capabilities have been praised for their clarity and ease of use, particularly for communicating with C-level executives and people without deep security knowledge. The just-in-time training provided by Contrast Assess has also been beneficial, helping engineers learn to avoid creating the same vulnerability twice and write more secure code over time. As a result, Unit4 is well-positioned for the future, with the right automation in place for application security.

• Between 2 to 3 times faster remediation times.

• Estimated a reduction in false positive rate from 57% present in the pen-test reports to 7% in false positive reported by Contrast.

• Saved around 72 hours in staff time in investigating false positives and preparing reports, whenever receiving a pen-test report from customers.