8-year software cybersecurity program for one of Europe's largest consumer-finance banks.
SAST with Fortify and SonarQube, DAST, manual pentests, SCA with live npm supply-chain monitoring, and architecture reviews — across 4 platforms and 3 stacks.
How Raiport has sustained — from 2018 to today — a continuous, multi-disciplinary, multi-stack software-cybersecurity program for a European financial institution operating in 15 EU countries.
The client
One of Europe's largest consumer-finance institutions, with millions of active customers across 15 EU countries and a network of industrial partners and dealers integrating its financial products at the point of sale.
- Industry
- Consumer finance · Point-of-sale financing
- Scale
- Top-5 in Europe · presence in 15 EU countries
- Stacks audited
- C# / .NET · Java / Spring Boot · TypeScript / Node.js
- Relationship
- 2018 → today · multi-year recurring
Why they called us
Software security is no longer closed by a one-off audit. In regulated banking, it has to be sustained.
When we came on board in 2018, the client already had a serious security program — but the pace at which their financial-product catalogue and their partner network were growing was starting to overflow their internal security teams.
Every release touched multiple systems. Every new partner integration added attack surface. And the open-source component supply chain — especially in the JavaScript ecosystem — was quietly becoming a major risk vector.
They needed an external partner to act as a technical second line: capable of auditing in depth, of adapting to whichever stack was in scope, and of keeping the pace for years, not just a quarter.
Agreed goals
- Maintain continuous SAST coverage on all critical products.
- Reinforce with DAST and penetration testing at sensitive milestones (releases, new partners, architecture changes).
- Monitor the open-source dependency supply chain in real time.
- Deliver to the risk committee traceable, release-over-release comparable metrics.
How we do it
Five cybersecurity audit disciplines, one reporting framework, eight years of habit.
Tools & techniques
Frameworks & standards
Timeline, year by year
- 2018
Program kickoff
Scope definition, Fortify and SonarQube integration into the client's CI/CD, first vulnerability baseline across the dealer and quoting platforms.
- 2021
Expansion to DAST and pentesting
We added automated DAST and manual penetration testing on the internal finance platform and web components. Coverage extended to C#/.NET, Java and TypeScript.
- 2022
Recurring executive reporting
Standardized release-over-release comparative reporting: critical-vulnerability deltas, mean time to remediation, per-component exposure.
- 2025
npm supply-chain monitoring
Detection of the Shai-Hulud attack on npm (570+ malicious packages). Immediate exposure inventory, blocked-version list, continuous monitoring of indicators of compromise.
What we sustain release after release
Continuous cybersecurity auditing means numbers you compare to your own baseline — not snapshots that die in a PDF.
Static analysis on source code at every release. Fortify for the regulated reporting, SonarQube for code quality and rapid feedback to developers.
Dynamic tests at sensitive milestones: major releases, new partners, newly exposed endpoints, architecture changes. Manual pentesting on the most critical products.
Continuous inventory of open-source dependencies (npm, NuGet, Maven). Real-time monitoring of supply-chain incidents with proactive version blocking.
The program covers 4 platforms across C#/.NET, Java/Spring Boot and TypeScript/Node. Our proprietary Software Reports framework unifies executive and technical reporting across all disciplines — SAST, DAST, SCA, pentests, architecture — into a single comparable format.
What we deliver each cycle
Quarterly executive report
Critical-vulnerability deltas, mean time to remediation, exposure to supply-chain incidents. 10-minute read for the risk committee.
Per-product technical report
Prioritized findings with evidence, CVSS, code path and actionable remediation plan for the development team.
Live dependency inventory
Open-source package inventory per project, versions, known CVEs, monitored packages and blocked versions.
Supply-chain early alerts
Immediate notification when a relevant IoC is published (compromised package, malicious domain, hash) that affects the client.
Technical sessions with the client team
Walkthrough of each batch of findings with the client's developers and architects. Focus on preventing regression.
The outcome
A top-5 European bank with 8 years of continuous audit program, no jumps and no vendor pivots.
- Program continuity since 2018 over multiple critical platforms — the client takes our reporting into the risk committee without having to rewrite it.
- Ability to simultaneously audit C#/.NET, Java/Spring Boot and TypeScript/Node without switching partners.
- Immediate response to the Shai-Hulud attack (npm) in September 2025: inventory, blocking and monitoring within hours, not weeks.
- Release-over-release comparable reporting that feeds directly into internal governance (PCI DSS, ISO 27001, risk committee).
“We've been working with Raiport for years. When the npm story broke in September, they called us before our own internal teams had spotted the exposure. That's the difference between a vendor and a partner.”
Why Raiport has sustained this program for 8 years
Multi-discipline + multi-stack + proprietary framework + historical memory of the client.
SAST + DAST + SCA + pentests in one team
We don't subcontract disciplines. The same team that runs Fortify and SonarQube SAST runs manual pentesting, monitors the package supply chain and reviews architecture. That prevents the gaps that typically appear between disciplines.
Stack-agnostic
C#/.NET, Java/Spring Boot, TypeScript/Node, IBM API Connect. The Software Reports framework normalizes the output of each tool so the client sees a single executive format.
Historical memory of the client
We've been at it for 8 years. We know which modules were carrying debt back in 2019 and which controls were closed in 2023. That accelerates the triage on every new audit — we don't start from zero each time.
Supply chain as its own discipline
The Shai-Hulud incident was not the exception: continuous SCA has been a piece of the program since 2024. Live inventory, monitored IoCs, blocked versions and real-time reporting to the client.
FAQ
Does your organization need a program like this?
If you have critical software, multiple stacks, frequent releases and a risk committee that demands traceability — yes. Start with a free 30-minute session where we'll walk you through exactly how we'd set it up for your case.