Shippo empowers customers with the #1 shipping solution tool needed to save time and money.

Data Theorem helped Shippo identify and close 138 security issues and remove 27 harmful third-party libraries, all before releasing them to the public app stores.

Shippo
Industry
Software Development
Location
San Francisco, CA

Products Featured

The Company

The Shippo's platform is deployed across SSAE 16 and ISO 27001-audited data centers, protected by the most robust electronic prevention systems, on-site engineering specialists, and security guards. The geographic diversity of data center locations also minimizes the risk of data loss and service interruption due to catastrophe. Shippo gives customers peace of mind by instituting robust security measures at every level of their architecture including the physical, infrastructure, host, data, application, and business processes, as well as the enterprise level.

Shippo's APIs access sensitive, confidential, and/or regulated data of their customers, forcing the need for secure apps. Their enterprise-grade security is architected to protect data and communications which are encrypted between all endpoints no matter what device is being. Shippo's redundant network and infrastructure are protected with multiple layers of physical and logical security, and their data centers are audited regularly to ensure compliance with SSAE 16, PCI-DSS level 3, and ISO 27001 standards. Analytics-based, automated fraud detection and mitigation provide users with the peace of mind for their business.

The Challenge

Shippo did not have the in-house experts or a scalable solution to provide security coverage for their mobile apps on their own. They have a contractual requirement with their customers and partners to perform third-party security testing for all of their applications, where security of each app directly impacts revenue and compliance. This requirement is imperative to their overall success as a leading cloud-based service provider. These issues led them to seek an outside solution that could address scalability, flexibility, continuous monitoring and 24x7 coverage.

Past Alternatives

Before Data Theorem, Shippo used professional services that focused mainly on security audits and independent penetration testing teams for their mobile app security needs. These services were ultimately very slow, expensive, inefficient, and covered only 10% of their product base. The rate of change for developers with today’s modern applications has accelerated due to automation, agile development processes, and DevOps efficiency. These practices have introduced a new wave of threats unaddressed by traditional AppSec tools.

The Solution

Data Theorem’s scanning criteria consist of security and privacy scans that are used to identify data exposure in mobile apps. The scanning includes, but is not limited to standard, baseline, and security-centric application logic analysis. Data Theorem’s methodology focuses on regulated data such as company confidential and private data, and PII/PHI/PFI.

The Data Theorem App Secure performs static and dynamic analysis on any iOS or Android application in search of security vulnerabilities and privacy gaps. It helps detect injection issues, session management issues, dynamic run-time flaws, vulnerable third-party SDKs, insecure Open Source Libraries, and compliance gaps for PCI, GDPR, HIPAA, FTC, etc. Most importantly, it provides Objective-C, Swift, and/or Java code to solve each identified issue.

For Shippo , the primary areas of focus include data exposure to third-party apps, unauthorized data collection, data-in-transit or data-at-rest exposures. Data Theorem uniquely addresses threat models related to modern apps and backend API services, helping Shippo identify issues related to privacy and application-layer attacks and the potential loss of sensitive data.

The Results

Since launching Data Theorem, the Shippo team receives fully automated security reviews of every app in the app stores. Doing so has allowed them to meet regulatory compliance for all public-facing apps in the app stores. Once implemented, Data Theorem enumerated several security issues during the scanning process and has continued to identify and mitigate many issues with varying degrees of severity in terms of vulnerabilities and security gaps. Shippo's developers and security team can log in at any time for status updates. They can review flaws and alerts to make secure code recommendations, thus saving time by ensuring data is secure and reducing the burden on internal IT staff. The security and reliability Data Theorem products provide on a continuous basis has been integral to Shippo's success in their rapidly changing app environment.

Statistics

PERCENTAGE OF APPS SCANNED : 100%

CRITICAL FLAWS (P1 ISSUES) THAT DID NOT MAKE IT TO PRODUCTION : 138

HARMFUL THIRD-PARTY LIBRARIES REMOVED : 27

DELAYS AVOIDED FROM APP/PLAY STORE SECURITY REQUIREMENTS : 33

Knowing that Data Theorem continuously discovers, tests, and protects our APIs is important to us. We want to ensure that our customers are in a secure ecosystem, and Data Theorem’s platform of our APIs is an important part of our software security testing program. In addition to their security , which is industry leading, the team there is a great partner to work with. Data Theorem is extremely focused on making their customers successful and this goes beyond their product, which is itself world class.