Application Security Engineering for a SaaS Platform
A fast-growing SaaS company needed to build application security practices before a Series B raise introduced enterprise customer security requirements. Mitigence embedded a security architect to establish the AppSec program.
Challenge
The engineering team had no security specialist, no SAST tooling, and no formal vulnerability management process. Critical vulnerabilities had been found in a customer-commissioned penetration test but remediation was untracked. The company's roadmap required SOC 2 Type II certification within 12 months.
Approach
Mitigence embedded a dedicated security architect for 6 months. We implemented SAST in the CI/CD pipeline, set up DAST testing, established a vulnerability management workflow, ran secure code review sessions with engineering leads, and built the security controls required for SOC 2 certification.
Timeline
6 months
Outcomes
- SOC 2 Type II certification achieved on schedule
- SAST tooling integrated into CI/CD — 100% of new code reviewed pre-merge
- Vulnerability management workflow established, mean time to remediate critical findings reduced from 47 days to 9 days
- Zero critical vulnerabilities in follow-up penetration test (down from 7)
Continuous Improvement
The company retained Mitigence for quarterly application security reviews and ongoing advisory support as the product scales.