Agentrics standardizes on IBM Rational AppScan software to help deliver safe Web applications to large retailers.

Agentrics serves as the trusted agent for the retail and consumer goods industry by helping retailers, manufac­turers and their trading partners opti-mize shared business processes. Its customers rely on Agentrics’ product offerings, unique practical forums and deep domain expertise to drive real business results. In the last six years, Agentrics has generated more than US$5 billion in cost savings for its customers by partnering with them on the development and effective use of Agentrics’ technology and services.

In business, speed and security do not always go hand in hand; often one takes a backseat to the other. But Agentrics has excelled at providing security-rich and cost-effective retail Web applications that help speed processes throughout the industry.

Facing the facts
Agentrics serves 17 of the top 30 global retailers, a large customer base that includes several companies in direct competition. Since Agentrics provides its supply chain collaboration, sourcing and product lifecycle management solutions on a common hosted plat-form shared by all its customers, it’s essential that the company keep its customers’ highly confidential information well protected. Therefore, Agentrics has always focused on offering solutions that incorporate the highest standards of security. In fact, Agentrics was well ahead of the security adoption curve, realizing from its inception that the biggest threats reside at the Web application layer, not at the network level.

“At that time, there was plenty of information on how to protect network systems but very little that explained how to protect an application or write secure code,” says Apurv Singh, manager of information security at Agentrics. Singh and his team aimed to better understand the aspects of Web application security, including the most dangerous and common types of attacks and the resulting application vulnerabilities. “We initially started by manually inspecting the applications, but it’s almost impossible to go through millions of lines of code,” says Singh.

Making the right decision
And Singh should know. Before his company was acquired by Agentrics, he used AppScan software to automate Web application audits. But after the merger, Singh was faced with the possibility of using a different product. After a competitive analy-sis of both products, Agentrics decided to stay with AppScan.

Having a structured, multitiered security strategy, Agentrics expects its software developers to build robust applications and write secure code. But with new Web vulnerabilities and threats arising weekly, no code can ever be 100 percent secure. So the company relies heavily on the security-rich capabilities of AppScan software throughout the development lifecycle. “AppScan is an important and integral part of our overall security strategy,” says Singh. Securing an application requires constant monitoring and work. Agentrics begins by using various forms of threat modeling before beginning application develop­ment. During the build process, the company keeps an open communication loop between development and security. New applications are scanned with the AppScan software, and uncovered vulnerabilities are passed back to development for remediation.

The AppScan application has a patented scan engine that helps alleviate the security team’s workload in several ways. First, it automates the security testing process and scans layers of code that would be impossible to review manually. In addition, the easy-to-understand fix recommendations allow developers to quickly pinpoint problems and remediate affected code.

Reaping the rewards
But automation is only part of what makes AppScan software an important tool for Agentrics. The company also leverages features such as privilege escalation testing. One of the most devastating types of intrusions is when a hacker manipulates code to gain access to an area of a Web site to which he or she is not authorized. AppScan provides sophisticated testing that detects such weaknesses in appli-cation code and then provides simple and specific ways to fix these issues.

In addition to building its own applications, Agentrics relies on third-party Web applications. Singh leverages AppScan software to help secure these applica­tions as well. He insists that third-party applications meet the same rigorous safety standards his team applies to its homegrown applications. “I wouldn’t have the level of confidence I have today in the security of my applications if it wasn’t for AppScan. It’s a very important piece of our security process,” notes Singh.

For more information
To learn more about IBM Rational AppScan software, contact your IBM representative or IBM Business Partner, or visit:
ibm.com/software/rational/offerings/testing/webapplicationsecurity