Springing into Security
Two of the most common security stressors that a SaaS company faces are about 1) how to efficiently answer a growing pile of vendor security questionnaires, and 2) how to balance new features and maintain security. As businesses grow and applications increase in complexity, size or sheer number of applications, CTOs need to consider how these changing elements impact security. Likewise, new security processes should be integrated at each stage of the application’s lifecycle, from a simple threat model done in the design stage of an application, all the way to integrated dynamic/static analyses and beyond.
Movespring is a Chicago-based company specializing in corporate fitness activities tracked through a mobile application compatible with both iOS and Android. Used by some of the world’s top organizations including Amazon, Uber and Deloitte, Movespring provides a platform for corporations to create custom fitness challenges with the ability to track steps, distance, time worked out, in-app coworker conversations and more. Their application has the capability to connect with a multitude of partner fitness trackers such as FitBit, AppleWatch, and Garmin, among others.
As Movespring continued to grow and expand in the B2B market, internal questions began arising about how to manage the security of an application that’s growing in size and complexity. Did they want to hire more developers to continue managing security internally? Or, did they want to engage a third party who could bring in new perspectives and experience about application security? How were they going to manage growing external pressure from enterprise clients to have proof of application security?
When Movespring came to us in early 2021, they were ready to expand promotion on their B2B application and were proactively seeking a more in-depth solution for their application security. Through quarterly Penetration Testing as a Service (PTaaS), we provided Movespring with an opportunity to dive deeper into their application security and generate answers to top security questions. These answers then enabled more business deals to close faster through an efficient vendor security questionnaire process, and also allowed them to acquire SOCII compliance. Through consulting hours included as part of their PTaaS package, the Movespring team also learned how to perform threat modeling on new features.
Without having to hire any internal security staff, Movespring increased their application security competency in areas such as threat modeling, web, API, cloud and mobile security best practices through integrating PTaaS into their existing SDLC. These learnings accelerated their speed in shipping new features. Integration between Movespring’s development team and our team of security engineers meant their developers could better identify and mitigate security vulnerabilities sooner in the SDLC, and ultimately save more time and resources as they further expand their B2B presence.
301 Moodie Dr. Unit 108, Ottawa, ON, K2H 9C4