In this case study done by Synopsys with El Al Israel Airlines, we show how the airline incorporated an application security testing solution that would detect vulnerabilities early in the development process without slowing down the release cycle or imposing additional workloads on the development, QA, or application security team.
To offer customers a variety of convenient options for online ticket booking, flight status, and club membership management, EL AL has a portfolio of applications (including web applications, mobile applications, and APIs), developed in-house and by external subcontractors using many different technology stacks.
EL AL classically performed penetration tests on web applications as part of its comprehensive application security programs. However, manual penetration testing was costly and detected vulnerabilities very late in the development life cycle, when applications were ready to be deployed in production.
EL AL wanted an autonomous in-house application security testing solution that would detect vulnerabilities early in the development process without slowing down the release cycle or imposing additional workloads on the development, QA, or application security team. The solution had to be simple and easy to use for the EL AL teams to perform security testing as part of their application runtime test cycles. EL AL also wanted to partner with a recognized industry leader that could work with them side by side to roll out a low-maintenance application security testing process integrated into the EL AL CI/CD pipelines.
Quick, actionable results with Seeker
EL AL chose Seeker IAST from Synopsys as the most suitable solution for its security testing needs. The Seeker solution helps EL AL find high-risk security weaknesses while fostering collaboration between development and security teams. In addition, it detects application vulnerabilities and ties them directly to business impact, providing a clear explanation of risks. Seeker’s seamless integration into CI/CD workflows enables automated application security testing (IAST) without slowing down the release cycle.
A great example is how Seeker monitors web applications in the background during functional testing and reports vulnerabilities in real time as part of the CI/CD process. By automatically verifying findings in real time, Seeker helps remove false positives that are common in other application security testing tools. This makes it easy for teams to triage and prioritize on critical vulnerabilities that matter most.
Seeker also provides EL AL developers with the exact location of vulnerabilities in the code, remediation suggestions, and code execution flow to help them quickly remediate vulnerabilities.
Implementing Seeker at EL AL
To ensure successful integration, EL AL assigned members of its DevOps, Security, IT, and development teams to work with the Synopsys onboarding team. EL AL found the implementation of the Synopsys IAST solution both quick and efficient — with Seeker providing real-time results without the need for additional expertise. As a result, EL AL has changed its release policy to include Seeker as a requirement before deploying any of its applications to production.
“Altogether, we’ve found Seeker to be much more accurate and easier to use than other application security testing tools,” says Claude Zribi, head of development and integration, EL AL. “Seeker IAST allows us to improve our secure development process while cutting back on development costs. Synopsys is a vendor that delivers on its promise and more, with a solid offering and a strong team to back that product up. Seeker allows EL AL to apply agile methodology in our development, testing, and release of new software versions in rapid cadence.”
The full report can be found here.