Qualpay is a payment processing platform that allows merchants to focus on their business. Todd Troutman, Senior Systems Engineer at Qualpay, uses Detectify to automate and simplify his work with security and says Detectify is a valuable complement to PCI approved scanners.
How did you come across Detectify?
You guys had a lot of publicity about a year ago for finding a vulnerability in Patreon and that’s how I originally heard of Detectify.
What are the greatest challenges of working with security?
You want the developers to be able to do what they need to do, but it’s really good to be automatically informed by a third party like Detectify. Detectify lets developers know that what they’ve pushed to production didn’t have any kind of new vulnerability or that no new vulnerability has been discovered that they need to address in the existing code.
Because I work with payments, I need to comply with PCI standards, which involves a yearly audit. Most of the scanning services that are PCI certified meet the regulatory checkboxes, but Detectify is more comprehensive and much more up to date. Even the false positives that Detectify has found occasionally have been good learning experiences.
What’s your favourite Detectify feature?
The one I’ve been using the most recently is the ability to update the HipChat room for developers and have them see when something new’s been found or something new’s been introduced. We then create Jira cases to track down the findings and decide whether they are an accepted risk, a false positive or something we need to fix.
Why would you recommend Detectify?
The interface is very simple, the results that it finds are very useful and they are described very well. The scans seem to run very quickly, which is good because a lot of scanning services seem to have a very long turnaround time. Basically, it’s the magic combination of simple and powerful that’s easy to deploy and get useful results immediately for a very reasonable price.
The support is good too – I only got confused in the interface one time and support answered very very quickly and very accurately. A fast response from support is something I really value.
How does Detectify integrate with how you work with security?
I don’t do a particular scan based on pushing new code to production, I went with the default scan intervals. I just react to things as they get pushed to the HipChat room and then go into the interface to check the details.
I have also been able to submit Detectify results to our PCI auditor for some segments of PCI as additional documentation. Overall, the service seems very complimentary to PCI certified scanning and I think it’s a good extra. When it comes to security, you never know if you’ve really gotten everything so having an extra check on top of everything is very valuable.