Amplify automates security testing with ProjectDiscovery’s precision

The company

A pioneer in K–12 education since 2000, Amplify creates core and supplemental programs in ELA, math, and science as well as formative assessments in early reading and math. Today, Amplify serves more than 15 million students in all 50 states and on six continents. The company requires robust security measures to protect student data and educational resources.

The Challenge: scaling security across a growing portfolio

Amplify wanted to make security testing more efficient and scalable:

• A need to scan authentication-protected applications. Their team required a dynamic application security testing (DAST) tool to pinpoint vulnerabilities
• A requirement to identify complex application-specific vulnerabilities that traditional tools couldn't meet
• Wanted to strengthen security testing across hundreds of applications
• A desire to have additional tests in place to ensure previously patched vulnerabilities weren’t re-introduced

"We wanted a way to search for vulnerabilities that are very application-specific," explains Calvin Lin, Staff SecOps Engineer at Amplify. "Many competitive products are generic in their vulnerability scanning, especially with paths that exist behind authentication."

The solution

After evaluating several competitors, Amplify chose ProjectDiscovery's solution, starting with the open source Nuclei tool and later expanding to the enterprise platform. Key factors in their decision included:

• Highly customizable scanning capabilities
• Active open-source community
• Frequent updates and responsive development team
• Flexible template system for creating application-specific tests

Amplify developed an innovative approach using ProjectDiscovery's tools to convert bug bounty reports into automated security tests.

"We take bug bounty reports and convert those into Nuclei templates," Lin explains. "We use Nuclei as an integration test to see if previously reported vulnerabilities are still present by rerunning the same workflow that hackers used to find them."

Implementation

Amplify's implementation strategy focused on:

1. Creating custom templates based on real vulnerabilities found through their bug bounty program
2. Integrating security testing into their deployment workflow by running automated scans across different environments
3. Training QA teams to write and maintain security test templates 

"We want to pass it on to Quality Assurance engineers to learn how to write templates and create these integration tests," says Lin. "At the end of the day, the Quality Assurance engineers are in the best position to understand the testing that should be done."

Results and future plans

While still in the early stages of implementing ProjectDiscovery, Amplify has:

• Successfully automated security testing for their first application environment
• Created a scalable framework for security testing across hundreds of applications
• Developed a process to distribute security testing responsibility to application teams
• Reduced the security team's workload through automation

"The UI, platform, and CLI tools that ProjectDiscovery offers are all very great and useful," Lin notes. "Every single week, I see new updates to the platform - nice quality of life fixes. They listen to feedback and implement them."

Looking ahead, Amplify plans to:

• Expand ProjectDiscovery scanning to additional applications
• Expand QA team involvement in security testing
• Catch vulnerabilities earlier in the deployment process
• Track vulnerability remediation trends over time

Why ProjectDiscovery

"I would recommend ProjectDiscovery," Lin states. "It's nice to work with a team that really listens to you and implements useful feedback. Right now, it's a valuable platform."