Securing a fast growing SaaS business with continuous application security testing
Cezanne HR was created to provide the market with a modern, secure Cloud HR system for mid-sized organizations. The business offers the sophistication and configurability of an enterprise level solution, without the cost and complexity. Today, they service over 650 businesses around the world and they needed a trusted appsec partner to support their business growth
Industry: HR Customer Since: 2016 Products: SWAT
Protecting customer data, the #1 priority
Cezanne HR has grown considerably since it started 7 years ago. The backbone of the business is the HR management system that provides organizations with a flexible and complete HR Software suite. The organization is responsible for processing and storing highly confidential data from customers, including employees’ personal data, so it’s imperative that the system is securely protected. Downtime will also lead to disruption as customers require access around the clock, all over the globe.
The IT team, led by John Hixon R&D Director, is responsible for providing customers with proof of security testing. To demonstrate that Cezanne HR is processing data with a high level of integrity, confidentiality and availability, and testing the solution for any kind of security gaps, John explains:
“We always have to prove to customers that along with our own internal security reviews and testing, we also use a 3rd party to externally penetration test the solution, and the availability of independent reports gives peace of mind to both clients and prospects.”
John oversees product development, hosting and his role involves responding to security questions including data protection and GDPR from HR and IT personnel.
“The product is our business’ bread and butter. Ensuring that there are no outages and demonstrating we’re maintaining a high level of security are key to keeping customers safe, driving sales and supporting marketing efforts.
We develop and maintain functionality to support international expansion, including multi-language and multi-currency capabilities, and cater to differing absence plans across multiple jurisdictions meaning any new product developments have to be fully checked and tested by a professional and reputable third-party provider."
In the past year, Cezanne HR was awarded the ISO accreditation 27001:2013, which confirms that they demonstrate and implement an information security management system which supports compliance within GDPR regulations and provides customers with certification to show the level of data protection of the service. This was an important steppingstone as it provides greater data sovereignty to their clients and creates stronger business to business relationships. As part of the certification, Cezanne HR defined the frequency and methods of penetration testing and identified where data is stored. As a key provider of security testing for Cezanne HR, Outpost24 was able to support adherence to this accreditation during the certification process.
Threat of data leakage is a key challenge for HR sector
Despite the Cezanne HR product evolving and developments happening every 4-6 weeks, including updates to existing functionality and new modules, the fundamentals remain the same with data security being mission critical. John explains:
“How we process data on behalf of our clients is critical. We conduct regular security reviews and testing to ensure there’s no client data leakage.”
Cezanne HR recognized a need for continual security testing around four years ago, to fill security gaps and ensure the company maintains its service and information security policies in the face of outside threats and technological and geo-political challenges.
“We host customer data, in GDPR terms this includes personal data and protected characteristics, which is business critical. If we suffer a security breach it could have a serious impact on our business, so the security of the solution is paramount.
The continual penetration testing and automated scanning solution from Outpost24 is vital as we’re monitored for vulnerabilities 24x7. Manual testing and checks provide an additional security layer when there’s a new version of the software to release.
Outpost24 SWAT provides us an end-to-end application security solution that’s critical to supporting our operation.”
In-house testing not enough to demonstrate full compliance
Cezanne HR relied on in-house manual testing and one-off penetration tests before choosing the SWAT service from Outpost24. However, with new regulations and increasing demands surrounding data protection laws, they realized this would not suffice in demonstrating their full security capabilities to their customers on a regular basis.
“We need to show our customers that testing is happening continuously. Outpost24 is the only vendor that can deliver continual application testing at scale and we don’t have to keep requesting tests when we need them.”
The Cezanne HR product is built around strict internal and external security processes, and Outpost24 helps protect their vital assets and allows Cezanne HR to ensure testing is ongoing and customer data is always secure within the service.
SWAT removes the security headache
The full and continuous nature of the SWAT service fits Cezanne HR’s needs as they benefit from complete 24x7 monitoring and pressures on resources are alleviated, as script building, manual testing and automated scanning is orchestrated by Oupost24 experts.
“The SWAT service by Outpost24 is very efficient and reliable... sometimes we forget it’s running. We receive great value from the continuous testing as it provides a proactive application security assessment solution and limits any back doors from being left open for hackers.”
The reporting functionality is a great time saving feature, from generating reports for customers to demonstrating results when needed to the management team. When issues are raised, the SWAT team is on hand to help by guiding Cezanne HR’s team in reviewing the severity, identifying the biggest risks and prioritizing emergency patching. Cezanne HR utilizes email alerting from SWAT to be notified of security flaws immediately, and to review anything critical urgently for faster and more focused remediation.
“We rely on the expertise the Outpost24 team provides through the easy to use interface and helps educate our team on vulnerabilities. We strongly recommend continual testing if you have a high frequency of releases – it’s hugely beneficial in mitigating risk without slowing development. We add new features and modules, and enhance existing functionality often, so we can’t stand still. Our customers need to know testing is done by an external and impartial third party like Outpost24.”
Ongoing security into the next decade
As Cezanne HR continues to develop and grow to meet new business needs and markets, it’s essential that security remains a priority and stringent processes are upheld.
“We’ve been fortunate enough not to experience any high-level criticalities and Outpost24 has been a valuable partner in protecting us on an ongoing basis for the past four years. We’re confident we can deal with anything that’s thrown at us next year and beyond.
In 2020, Outpost24 will support the secure delivery of the Cezanne HR roadmap and new product developments including some exciting brand-new functionality.”