Before using Vex, security testing required remote assessment services from our group companies in Japan or on-the-spot assessment services from third parties in Indonesia. However, regular use of these services was not cost-effective, and results depended heavily on the skill of the consultants assigned to the service. We wanted to use a free testing tool to solve the cost problem, but there were no solutions that met our expectations, such as having functions to systematically confirm scan results.
Although we considered using an external assessment service again, we decided to explore the options in house to guarantee a satisfactory level of security.
In order to reach the goal, we launched an investigation to find a suitable tool and discovered Vex. Meanwhile we were confident about Vex because it was developed by a Japanese vendor, our expectations increased even further when we learned it was the most popular web application security tool in Japan.
We selected Vex due to two major reasons after a hands-on trial. Firstly, it provides highly customizable reports. Secondly, it is compatible with CI tools such as Jenkins.
Vex is extremely convenient because it can output scan results in multiple types of reports, which enables users to create the type of report best suited to the objectives. The function to display results from the auto-crawling feature to screen transition diagrams is very impressive because the results are easier to analyze and understand visually.
We planned to link Vex with Jenkins and other CI tools to implement a DevSecOps cycle, so compatibility with Jenkins was a key point at the decision to adopt the tool. We felt that integrating Vex into the DevSecOps cycle would improve system security in advance at earlier phases in the system development process. It was a perfect match for our intention and goal of efficiently improving system security.
The ability to run security scans that use only specific patterns is another excellent feature. We can select frequently used requests and scan patterns tailored to the test content, customize them, then save them so that they can be easily retrieved for future scans; this is very convenient.
Following the adoption of Vex, security awareness improved across the entire organization. We adopted Vex initially to improve the security of one of our cloud services; however, adoption of Vex made the entire company more vigilant about security. Consequently, the organization now understands that collecting security information is an essential activity.
Because of this new security awareness, the company maintains the confidence at a high level of security even when development processes span multiple departments.
Receiving frequent support via email and remote video conferencing was another major factor for our successful implementation of Vex. This success was not only due to Vex as a tool, but also the support from security experts of UBsecure made a huge contribution. I hope that support staff will continue to communicate closely with users.
Although the government encourages Indonesian companies to maintain higher security standards, there are still many companies that lack security awareness.
However, as a global IT service provider, NTT DATA Indonesia follows and focuses on global trends so that we will continue providing products and services with high security standards. Through this activities with Vex, we can demonstrate our ability to fulfil global security standards, and we hope that we can influence and contribute to improve the ones in Indonesia, too.