1. “As threats become more mature and
more technically sophisticated, HP
Fortify software helps us stay ahead
of the game by assuring that all
known vulnerabilities are patched or
prevented. The HP Fortify solution
helps us address all possible
vulnerabilities before we make an
application available to travel agents
or the Web at large.”
–Ariel Silverstone, Information Security Director, Travelport
Travelport, a global provider of software solutions for travel
agencies, corporations, and travel suppliers, turned to HP
Fortify to the battle security threats that come with the growth
in mobile and cloud computing technologies. HP Fortify Static
Code Analyzer (SCA) helps save the company approximately
$18 million a year, while improving the security of its software
by a factor of 3.5.
Case study
Spanning the Globe
Travelport Protects the Traveling Public with
HP Fortify SCA
Industry
Travel and leisure
Objective
Improve application security to insure against
growing threats caused by mobile and cloud
computing technologies.
Approach
HP Fortify Static Code Analyzer (SCA) helps save the
company approximately $18 million a year, while
improving the security of its software by a factor of
3.5.
IT matters
• Enhances application security by a factor of 3.5,
reducing vulnerabilities by more than 70%
• Limits false positives to less than 3%
• Easily handles a high volume of application code
Business matters
• Provides double digit annual savings in PCI audit
costs
• Enables Travelport to hold externally developed
code to the same high standard as in-house
applications
• Supports more programming languages than any
other solution in the market
2. 2
Case study | Travelport
Travelport is focused on helping travel
companies and corporations deliver the
exceptional experience demanded by today’s
traveling public. The company operates three
key businesses, representing a diverse and
widely recognized group of leading brands,
technologies, and services: Travelport Global
Distribution Systems, Travelport Airline IT
Solutions™, and GTA™, a world leader in the
provision of ground travel products and
services. Travel agencies, corporations, and
travel suppliers everywhere rely on Travelport
solutions to drive productivity, lower costs,
and serve travelers globally. In turn, Travelport
depends on a robust software security
assurance program—of which HP Fortify
Static Code Analyzer (SCA) software is a key
component—to ensure that its customers can
trust the valuable applications it delivers.
Travelport applications are as diverse as
the global community they serve, ranging
from schedule and fare search programs to
hotel, car, and cruise reservation software.
Applications are developed in 14 different
languages (including .NET, Java, COBOL, and
variations of C) by the company’s distributed
staff of approximately 2,000 developers.
Challenges and benefits
Ariel Silverstone is Information Security
Director at Travelport. His organization
creates, manages, tests, and trains with regard
to the whole gamut of information security
and data protection solutions for Travelport
and its customers. It ensures compliance with
every facet of local and global rules, laws,
and regulations, including European Union
directives, Safe Harbor, Sarbanes-Oxley, and
the Payment Card Industry Data Security
Standard (PCI–DSS).
Says Silverstone: “We have several major
challenges. The first is to protect the privacy
of our customers. Secondly, we must not
allow fraudulent travel to occur using our
systems.” The growth in mobile and cloud
computing technologies, which offers a better
experience for the traveling public but makes
security more problematic, represents another
challenge. “As threats become more mature
and more technically sophisticated, HP Fortify
software helps us stay ahead of the game
by assuring that all known vulnerabilities are
patched or prevented,” Silverstone continues.
“The HP Fortify solution helps us address all
possible vulnerabilities before we make an
application available to travel agents or the
Web at large.”
HP Fortify technology also benefits Travelport
financially. “We have an aggressive software
release schedule, and we were paying PCI
auditors to review our code up to six or seven
times a year,” says Silverstone. “By bringing
most of this work in-house with HP Fortify
SCA, our mathematical analysis shows that
we are saving the company approximately $18
million a year, while improving the security
of our software by a factor of 3.5.” In other
words, Travelport has reduced the number
of vulnerabilities by more than 70 percent
since starting to use HP Fortify SCA on a
regular basis. This enables the company to
deliver online capabilities (e.g., the secure
purchase of tickets) that previously would have
been considered too risky from a customer
perspective.
Fully integrated in the
lifecycle
Silverstone first learned about the HP Fortify
solution when he noticed that some of his PCI
auditors were using it. “I clearly understood
what the possibilities were, and I acted on
that,” he says. “I did look at several other
solutions, including Veracode. HP Fortify
supported a far larger set of languages, and
the seat-based HP Fortify pricing model was
preferable to Veracode’s megabyte-based
approach. I also talked with other high-
transaction users outside the travel industry,
and they all said very good things about the
performance and results they had achieved
with HP Fortify software.”
HP Fortify SCA is fully integrated into the
software development lifecycle at Travelport.
When a build is ready to be promoted to
production, it must go through quality and
security testing in parallel. The development
leads ask Information Security to review the
code, which is presented via a secure form,
scheduled in the lab, and tested within seven
business days. The findings are prioritized
and then submitted to the requesting group
and the relevant vice president. Information
Security requests a mitigation plan and does
not approve the production load until the
application has been properly remediated.
According to Silverstone, HP Fortify technology
is a key part of Travelport’s long-term strategic
vision. “Our goal is to deliver applications
that protect the data of both our travel agent
customers and our joint customers, the
traveling public,” he says. “The HP Fortify
solution is a very important element in this
3. 3
Case study | Travelport
entire effort. It helps us create more robust,
more secure software—and frankly, it makes
the software easier and cheaper to fix.” To
date, more than 300 applications have been
scanned using HP Fortify SCA.
Low false positives
Travelport got the HP Fortify solution up and
running quickly, and the results have exceeded
expectations. “We are especially pleased with
the low false positive rate,” says Silverstone.
“False positives are the kiss of death to any
testing solution. We were anticipating false
positives in the 80 percent range, but we’re
actually seeing less than 3 percent. We’ve also
been pleased with HP Fortify’s ability to work
in parallel and real time with our other testing
processes. HP Fortify software has proven to
be robust and reliable in memory utilization
environments as high as 10GB.” Additionally,
Silverstone believes Travelport’s use of HP
Fortify technology has resulted in greater
productivity, because developers are writing
more secure code and therefore do not need to
go through as many security test cycles.
HP Fortify has delivered another important
benefit to Travelport: A way to hold externally
developed code to the same high standard
as applications that are developed in-house.
“We test third-party code before acceptance,”
says Silverstone. “When we find the code is
insufficiently secure—which we can now prove
using HP Fortify SCA—we can request that
the external developers fix it at no cost to us,
based on our contractual agreement. Before,
we would have to pay them to fix it. We are
strongly recommending that all of our external
developers acquire HP Fortify software, and
I frequently recommend the solution to my
peers in the industry as well.”
HP Services has been a highly effective part
of the complete HP Fortify solution. “The
services team is extremely knowledgeable and
professional,” says Silverstone. “We had one
case in which we needed an answer right then
and there; they called us within 10 minutes.
We’re very happy with them.” Silverstone was
also happy with the training provided by HP
Services. “It was very good. They answered all
our questions, even when we went deep into
the technical realm.”
Gaining competitive
advantage
Moving forward, Travelport is considering
the deployment of HP Fortify software
earlier in the development lifecycle and more
pervasively throughout the organization.
“HP Fortify is a very important technology
partner, one that contributes significantly to
the success of our business as an IT company
in the travel world,” says Silverstone. “From a
business perspective, HP Fortify helps us gain
competitive advantage, thanks to the secure
software we release. With HP Fortify software
as part of our overall process, I am confident
that we are generating code that is even more
secure, more robust, and more reviewed and
tested than the travel industry standard.” As a
leader in application security,
Travelport is pushing global organizations in
the travel industry to make security a higher
priority.
“Our overall security program
helps us stay ahead of the
hackers and maintain our
competitive edge. In all of
these critical areas, HP Fortify
technology has played a key
role in Travelport’s continuing
success in the dynamic travel
industry.”
—Ariel Silverstone, Information Security Director,
Travelport
Concludes Silverstone: “So far, we’ve tested
well over 14 million lines of code. We have
saved the company a tremendous amount
of money. We have become an accepted
benchmark and also a guide to security, both
within Travelport and to some degree within
the industry. Our overall security program
helps us stay ahead of the hackers and
maintain our competitive edge. In all of these
critical areas, HP Fortify technology has played
a key role in Travelport’s continuing success in
the dynamic travel industry.”