When Security is Your Business, You Better Get It Right

Duo is fanatical about practical, down-to-earth security. They address real world problems that mobile users encounter, such as preventing phishing, simple security authentication and security hygiene problems. Their app also enables administrator controls and sets minimum access requirements for each device. When developing and updating the mobile app, Duo writes custom code, but also uses open-source code libraries. With attackers innovating in real-time, Duo is always interested in innovative security solutions.

There are a number of David and Goliath success stories in Silicon Valley, and Duo Security (Duo) is one to note. Founded in 2009 with the mission to democratize security by making it easy and effective for the average business user, Duo makes security painless for any organization. That message has resonated with customers of all sizes, and 2016 represents the fourth year in a row that Duo experienced triple digit year-over-year growth. With 8,000 customers and five million users, Duo is one of the fastest growing Software as a Service (SaaS) providers in the world.

Recognized as the leading cloud–based user authentication provider, Duo provides security services to companies such as Facebook, Paramount Pictures, Random House, Toyota, Twitter, Zillow and many more. With easy-to-use technology, both small and very large companies can quickly deploy Duo’s products to protect users, data and applications from a host of threats such as breaches, credential theft and account takeover. Some of the largest names in the business are backing Duo, including Google Ventures, Radar Partners, Redpoint Ventures and True Ventures.When it came time to choose another security company to help protect their products, you better believe they insisted on getting it right.

No one is harder to impress with your security technology than another security company. The technology has to be well-designed, technically advanced and still a lightweight, efficient application that doesn’t consume a lot of resources or slow us down.

Before Data Theorem, Duo used key materials, checked how things were communicating over the network and ensured users followed best security practices. They confirmed their code through automated tests, manual checks, etc. but were intrigued by the idea of a third-party "sanity check", providing an extra layer of protection to ensure nothing is ever missed. When they saw how Data Theorem's automation makes the process seamless, they were hooked. It was as simple as signing the contract, paying a one-time cost to get things configured, then the solution was running. It was easy and painless; frankly, if it wasn't easy to implement and highly sophisticated, Duo would not have been interested.

Data Theorem scans Duo's mobile app both in pre- and post-production. It identifies any code issues and integrates with Google and Apple's beta testing structure to ensure apps meet all security and platform criteria to avoid being rejected by either store. Results are displayed on an easy-to-use dashboard that alerts them to P1 issues, as well as notifies Duo when common app libraries have vulnerabilities. These alerts them to P1 issues, as well as notifies Duo when common app libraries have vulnerabilities.

These alerts save triage time and enable Duo to get a jump on managing the issue. “Managing risk introduced by external risk dependencies is one of the hardest problems in secure software development and delivery,” stated Oberheide. “It is a critical supply chain and looking at every stage of the chain is important. One of my favorite things about Data Theorem is that it provides insight into third party libraries we are using and whether there are critical or known security issues.”

While Duo is proud to say that they have never had any P1 issue alerts in their app, the third-party alerts are incredibly helpful; Data Theorem’s notifications detail the problem, provide developers with clear examples of what to fix, and offer relevant documentation and APIs to significantly reduce the forensic research work. This enables Duo to stay ahead of the curve and fix any vulnerabilities before they become big issues. Duo’s developers were excited that Data Theorem also provides regular tips and updates on current state-of-the-art features, it helps keep them up-to-date on new features, development cycles and enhancements. “I remember seeing a tip on Data Theorem’s reports talking about a new API on Android that lets you prevent other apps from taking a screenshot of your application,” stated Adam

Goodman, co-founder and principal security architect at Duo Security. “I was intrigued and I was able to implement that idea in our app. Insights into libraries and frameworks is one of my favorite features. We stay on the bleeding-edge, but Data Theorem’s reports simplify and summarize data that helps keep us up-to-date.”

When selecting a security technology provider, Duo looks for companies that offer cutting-edge security, non-intrusive light-weight applications, have a trusted brand and provide easily managed solutions. They found that and more in their relationship with Data Theorem.

The fact that it is automated is really important, security operates in real-time and we cannot afford delays. We were thrilled with the credibility of the team and the product at Data Theorem — we trust the team and that is important for a security firm like ours.

Zero Approach

Data Theorem “requires”, as much as an external vendor can, that all customers have zero P1 security issues, App Store/Google Play blockers, and 3rd Party SDK/ OSS issues. Data Theorem scans for critical (P1) security issues on a daily basis, allowing Duo to know about any showstoppers in its pre-production environment, but also knowledge about “zero-days” in the wild on production apps.

Scanning 3rd party SDK & Open Source Libraries

Data Theorem’s ability to scan 3rd party SDK & Open Source libraries allowed Duo to shed light on an attack surface that would otherwise be a blind spot. While Duo has several processes to ensure its code is written securely, it cannot provide the same function to 3rd party SDKs or libraries embedded in a mobile app. Data Theorem was the only company evaluated that also offers “Secure Code” directly to developers to help fix identified security issues. Data Theorem’s ability to scan 3rd party SDK & Open Source libraries allowed Duo to shed light on an attack surface that would otherwise be a blind spot. While Duo has several processes to ensure its code is written securely, it cannot provide the same function to 3rd party SDKs or libraries embedded in a mobile app.

Secure Code for Developers

Data Theorem was the only company that also offers “Secure Code” directly to developers to help fix identified security issues. This enables Data Theorem's customers to streamline the amount of time and resources required to fix an issue. Data Theorem can continuously monitor, scan, and fix mobile application security — at scale — with a solution that has a negligible impact on speed and performance.