Web application vulnerability scanner Vex｜PT. NTT DATA Indonesia

To achieve and demonstrate global-standard level of information security in Indonesia

Our company, NTT DATA Indonesia, is a global IT service provider which offers IT services mainly to the financial and manufacturing industries. We offer Employee Welfare cloud services to local companies in Indonesia, primarily to the Indonesian subsidiaries of Japanese multi-national companies. During the development of HR-Zero, an HR Payroll management system, many of our customers were concerned about the system security because of the sensitive nature of the information. In many times, our customers had to explain the validity of our services to their Japanese headquarters that they comply with a global standard. We realized that we must demonstrate accountability of the security level of them and continuously make as much effort as possible to meet the security of a global standard.
Before using Vex, security testing required remote assessment services from our group companies in Japan or on-the-spot assessment services from third parties in Indonesia. However, regular use of these services was not cost-effective, and results depended heavily on the skill of the consultants assigned to the service. We wanted to use a free testing tool to solve the cost problem, but there were no solutions that met our expectations, such as having functions to systematically confirm scan results.
Although we considered using an external assessment service again, we decided to explore the options in house to guarantee a satisfactory level of security.

Adopting Vex, which offers flexibility in report customization and compatibility with CI tool chain

In order to reach the goal, we launched an investigation to find a suitable tool and discovered Vex. Meanwhile we were confident about Vex because it was developed by a Japanese vendor, our expectations increased even further when we learned it was the most popular web application security tool in Japan.
We selected Vex due to two major reasons after a hands-on trial. Firstly, it provides highly customizable reports. Secondly, it is compatible with CI tools such as Jenkins.
Vex is extremely convenient because it can output scan results in multiple types of reports, which enables users to create the type of report best suited to the objectives. The function to display results from the auto-crawling feature to screen transition diagrams is very impressive because the results are easier to analyze and understand visually.
We planned to link Vex with Jenkins and other CI tools to implement a DevSecOps cycle, so compatibility with Jenkins was a key point at the decision to adopt the tool. We felt that integrating Vex into the DevSecOps cycle would improve system security in advance at earlier phases in the system development process. It was a perfect match for our intention and goal of efficiently improving system security.
The ability to run security scans that use only specific patterns is another excellent feature. We can select frequently used requests and scan patterns tailored to the test content, customize them, then save them so that they can be easily retrieved for future scans; this is very convenient.

Improved system security awareness from one business unit to the entire company

We adopted Vex only in the business unit Sony originally belonged to for improvement of the security for our cloud services. When Sony subsequently transferred to the department that designs and operates the cloud environment of the entire company, the scope of his work expanded from a standalone service to all services running on it. Sony continues his effort to raise security levels in his new role by introducing Vex to other cloud services.
Following the adoption of Vex, security awareness improved across the entire organization. We adopted Vex initially to improve the security of one of our cloud services; however, adoption of Vex made the entire company more vigilant about security. Consequently, the organization now understands that collecting security information is an essential activity.
Because of this new security awareness, the company maintains the confidence at a high level of security even when development processes span multiple departments.
Receiving frequent support via email and remote video conferencing was another major factor for our successful implementation of Vex. This success was not only due to Vex as a tool, but also the support from security experts of UBsecure made a huge contribution. I hope that support staff will continue to communicate closely with users.

Contributing to raising security levels in Indonesia

The Indonesian government has been promoting information security management policies since 2016. Its measures include new security regulations related to protecting and managing personal information.
Although the government encourages Indonesian companies to maintain higher security standards, there are still many companies that lack security awareness.
However, as a global IT service provider, NTT DATA Indonesia follows and focuses on global trends so that we will continue providing products and services with high security standards. Through this activities with Vex, we can demonstrate our ability to fulfil global security standards, and we hope that we can influence and contribute to improve the ones in Indonesia, too.