Software First Companies Trust Cycode
See how our customers leverage the Cycode platform to build and deliver secure applications.
theScore Gains Full Code-to-Cloud Visibility with Cycode’s AI-Native Application Security Platform
About Score Media and Gaming
Score Media and Gaming, commonly known as theScore, is a leader in mobile sports media, sports betting, and esports based in Toronto, Canada. The company engages millions of fans daily through its innovative digital media and sports betting products.
The Problem
theScore, an online and mobile sports betting platform, needed to build an application security program from the ground up. Online betting is a highly regulated industry, so theScore needed a platform that was able to meet strict regulatory requirements. In addition, theScore was entering into a strategic partnership with ESPN, an American cable sports network owned by The Walt Disney Company and Hearst Communications. Part of the partnership agreement included requirements for a robust Application Security program.“Contractually, we were obligated to ‘uphold the most stringent of security standards,’” says Jamie Sadler, Head of Application Security at theScore. “We knew we needed a powerful platform that could provide code-to-cloud visibility without the noise traditionally associated with so many application security testing tools.”
theScore wanted to be able to manage all their security-related data from source code to build tools to containers and beyond on one platform. “We needed a solution that would be with us from fingers on keyboard all the way to a service running in production,” says Sadler.
The company decided that an Application Security platform with comprehensive code, software supply chain security, and posture management capabilities would give them the right combination of visibility, risk prioritization, and automated remediation. They evaluated 12 vendors and chose Cycode because it was the only solution that combined intelligent posture management with a full suite of native scanners, including SCA, SAST, and Secrets scanning. Other vendors offered limited or no native scanning capabilities or had gaps in data ingestion and risk prioritization, which would have required theScore to purchase additional tools to get the comprehensive capabilities Cycode offered out of the box. theScore felt strongly that they didn’t want the visibility gaps, additional licensing fees, and added personnel costs associated with managing multiple tools. In addition, Cycode offered support for Elixir, theScore’s primary programming language.
The Cycode Solution
After a head-to-head POC, theScore chose Cycode’s full suite of tools. One of Cycode’s key differentiators was the ease of implementation. Cycode gave theScore instant visibility. “The operationalization of the platform was simple. Integrations were just a couple of button clicks, and we were able to get findings immediately,” says Sadler.
With Cycode, the time to value was evident right away. “In security, scanning data is important, but it’s more than that. It’s the data collection. It's the correlation. It's being smart with the data to understand the full picture of your risk, to understand what alerts to focus on first,” says Sadler. “Cycode was the only platform that was being smart with their data.”
Context is vital to understanding overall risk. According to Sadler, “A single violation is one thing, but a violation that you know is also related to another violation paints a better picture. It casts more context and takes away some of the investigative work that you would be doing manually without a tool like Cycode. For example, scanning a Github repo for a docker file and then also being able to see a container running in production - the ability to correlate the two lets you start to think about the bigger picture rather than just silos. And for this is a docker file, the ability to understand that this is related to a container in production is very important because I now know that it’s a higher priority than a vulnerability just in a repo. Cycode is very powerful in this way.”
In addition to broad visibility, Cycode is able to help prioritize findings so that theScore’s Application Security team can focus on optimizing their remediation efforts. “All of these tools have some degree of noise. The Application Security team’s job is to determine what might be a false positive and what is real to make sure we have the right people looking at the right alerts and not wasting any time,” says Sadler. “Cycode has been great at both alert detection and deduplication of alerts, which cuts down on the noise. Plus Cycode’s policy engine is super intuitive so we can adjust our policies in almost real time to provide immediate feedback to developers. The platform tells us when a developer comments on a pull request to say that an alert is a false positive. This allows us to investigate why an alert was dismissed and make a determination in real time. With Cycode, we can shift to more important things like real violations that need to be resolved.”
The Results
theScore has built a robust Application Security program based on the Cycode platform. They have gained complete visibility into their SDLC and broken down the silos that traditionally plague cybersecurity. Automated workflows have been key to streamlining the company’s program. “With Cycode, we are able to focus on security findings, not creating Jira tickets,” says Sadler. “This frees up the Application Security team’s resources from managing tools to managing risks. Security talent is difficult to find, especially in Application Security. I want to make sure that theScore’s security practitioners are not slowed down with the mundane stuff. Now my team can focus on the relevant parts of the security findings.”
This also helps build a positive relationship between the security and development teams. “Security has long been viewed as a blocker to innovation,” continues Sadler. “An Application Security program won’t be successful unless you have buy-in from all parties. Security doesn’t want to slow down developers’ velocity, so we need a way that developers can unblock themselves but do so in a way that is safe for the business.” Cycode has provided theScore with a solution that fits in seamlessly with developer workflows, including IDE integrations, a CLI, and pull request scanning.
Cycode further fosters a positive partnership between security and development by making both teams more efficient. “Cycode keeps the security practitioners focused on security findings rather than chasing down developers asking ‘Hey, did you work on this?’ Developers know what they need to do, and security stops being a bottleneck to getting code out,” says Sadler. “With Cycode, I really feel like we are in it together. We need to move fast, and Cycode moves fast with us.”
By adopting Cycode, theScore is able to surpass its contractual obligations to ESPN and meet the stringent regulatory requirements that govern the online gaming industry. The best thing about Cycode, however, is the peace of mind it gives theScore. “In cybersecurity, it's exhausting trying to make sure you're looking at everything and not missing a critical risk,” says Sadler. “Cycode has been really good at helping me be confident that we're looking at everything that we need to be looking at to secure the business.”