Enhancing Security Through Automated Code Checking: A Case Study on Cisco Duo Security

Duo Security, now a part of Cisco, is a leading provider of unified access security and multi-factor authentication delivered through the cloud. Duo is fanatical about practical, down-to-earth security. They address real-world problems that mobile users encounter, such as preventing phishing, simple security authentication and security hygiene problems. Their app also enables administrator controls and sets minimum access requirements for each device. Duo provides security services to companies such as Facebook, Paramount Pictures, Random House, Toyota, Twitter, Zillow and many more. With easy-to-use technology, both small and very large companies can quickly deploy Duo’s products to protect users, data and applications from a host of threats such as breaches, credential theft and account takeover.

Duo Security, a part of Cisco, is a leading provider of unified access security and multi-factor authentication delivered through the cloud. Despite being a successful security company, Duo was interested in innovative security solutions that could provide an additional layer of protection to their code. They were particularly intrigued by a technology that could automatically double-check their code and common code libraries quickly and seamlessly. While they had never had a major problem, this “sanity check” sounded like a great idea. However, they insisted on a solution that was well-designed, technically advanced, lightweight, efficient, and did not consume a lot of resources or slow them down. Before Data Theorem, Duo used key materials, checked how things were communicating over the network, and ensured users followed best security practices. They confirmed their code through automated tests, manual checks, etc. but were intrigued by the idea of a third-party 'sanity check', providing an extra layer of protection to ensure nothing is ever missed.

Data Theorem provided the solution Duo was looking for. It scans Duo's mobile app both in pre- and post-production, identifying any code issues and integrating with Google and Apple's beta testing structure to ensure apps meet all security and platform criteria to avoid being rejected by either store. Results are displayed on an easy-to-use dashboard that alerts them to P1 issues, as well as notifies Duo when common app libraries have vulnerabilities. These alerts save triage time and enable Duo to get a jump on managing the issue. Data Theorem’s notifications detail the problem, provide developers with clear examples of what to fix, and offer relevant documentation and APIs to significantly reduce the forensic research work. This enables Duo to stay ahead of the curve and fix any vulnerabilities before they become big issues. Duo’s developers were excited that Data Theorem also provides regular tips and updates on current state-of-the-art features, it helps keep them up-to-date on new features, development cycles and enhancements.

• The implementation of Data Theorem's solution has brought significant operational benefits to Duo. The automated scanning of Duo's mobile app both in pre- and post-production has ensured that any code issues are identified early, reducing the risk of app rejection by Google or Apple's stores. The alerts provided by Data Theorem have saved triage time and enabled Duo to manage issues proactively. The detailed notifications from Data Theorem have reduced the forensic research work required by Duo's developers, allowing them to focus on fixing vulnerabilities. Furthermore, the regular tips and updates on current state-of-the-art features provided by Data Theorem have helped Duo's developers stay up-to-date on new features, development cycles and enhancements. Overall, the solution has enhanced Duo's security, without slowing them down or consuming a lot of resources.

• Data Theorem scans for critical (P1) security issues on a daily basis, allowing Duo to know about any showstoppers in its pre-production environment, but also knowledge about “zero-days” in the wild on production apps.

• Data Theorem’s ability to scan 3rd party SDK & Open Source libraries allowed Duo to shed light on an attack surface that would otherwise be a blind spot.

• Data Theorem was the only company that also offers “Secure Code” directly to developers to help fix identified security issues. This enables Data Theorem's customers to streamline the amount of time and resources required to fix an issue.