Case Study:

From PCI Certification to Full-Blown Automation

About the client

Travel Tripper (now Pegasus) is an all-in-one provider of websites, booking technology, and digital marketing for hotels. Their e-commerce solutions help hotels worldwide to generate demand, optimise conversions, and maximise revenue. They’ve been providing cutting-edge digital and cloud-based technologies for the hospitality industry for the past 15 years.

PCI certification was just the start

Our association with Travel Tripper started in 2016, when we were conducting a yearly assessment of their CDE and apps for the PCI Certification audit. 

However, their engineering team was developing and releasing new features every quarter, which the annual assessment wasn’t accounting for. Audits once a year just wouldn’t be enough.

Around 2018, there were new developments with the PCI standard, too. Now it was mandatory to assess an application every time they introduced a new feature, or changed the app’s code significantly. 

In order to maintain certification a single annual audit was out of the question, given the pace of development at Travel Tripper. But that created another issue: conducting multiple assessments purely for PCI certification would rack up a significant cost.

It was mandatory to assess an application every time they introduced a new feature, or changed the app’s code significantly. 

But then, a solution: Automation

Here’s what we proposed to the product engineering team: we wouldn’t just conduct simple assessments, but instead implement our full-fledged AppSec and security automation arsenal on their apps. This might initially seem counterintuitive, given Travel Tripper’s budgetary constraints. But we had a strategy already planned out.

Once we understood their quarterly release cycle, we kicked off the process with the automation buildup. Vulnerabilities that we identified manually in the assessments were scripted as exploit automation scripts and run against the target apps. 

We also automated a bunch of tools and scripts to run scans against the app hosted environment and the CDE. We ran these scans on a periodic basis to maintain the security hygiene of the CDE and reported any flags to the engineering team immediately.

Next, we established a regression suite and focused our next assessment only on the new features. We scripted the vulnerabilities we found and added them to the regression suite. 

This intense focus on optimisation gave us incredible results. After just a few releases, we were taking less than half the usual time to assess their apps. 

After just two regression cycles, an assessment that normally took 23 days was taking just 15, and after a few more iterations, that number was down to 10.

Real, tangible benefits

What was remarkable in our engagement with Travel Tripper was the fact that our automation practices allowed us to conduct 4 times the usual number of security assessments without the same increase in cost. 

Not only that, but with this increased efficiency, we were able to offer them our complete AppSec testing and regression solution, which helped them securely deploy new releases every single time. 

Bugs that used to occur every time a new feature was released were eliminated. Environment variables specific to security started to become a lot more constant, ensuring that the automated scans were just not flagging any results in red.

Want to fire up your security automation engines but can’t find the button?

It’s over here