Table of Contents
- Business impact using ProjectDiscovery
- Introduction: Modern Security Challenges for SaaS Providers
- The Challenge: Gaining Visibility into a Dynamic Attack Surface
- The Solution: A Centralized Open Source Security Platform
- Implementation: A Seamless Integration Experience
- Integration with Existing Tools to Speed Secure Development
- Results: Faster Discovery, Better Compliance, and Peace of Mind
- Conclusion: An Essential Partner for Long-Term Security
Authors
Business impact using ProjectDiscovery
- Boosting Time To Discovery:Enhanced ability to detect vulnerabilities and CVEs, without waiting for external bug bounty reports and manual scans—enabling the team to focus on manually identified issues and remediations.
- Faster Incident Response: Automated vulnerability detection reduced the time to identify and respond to security issues by cutting discovery time from days to hours.
- Improved Security Posture: Continuous monitoring and compliance checks helped prevent incidents like subdomain takeovers.
- Operational Efficiency: Integration with Jira minimized administrative tasks, allowing teams to focus on high-value activities.
- Compliance Assurance: Automated checks supported PCI DSS and SOC 2 Type 2 certifications with minimal manual intervention.
Introduction: Modern Security Challenges for SaaS Providers
Paddle is a payments infrastructure provider for software companies, that powers growth across acquisition, renewals and expansion. Like many Software as a Service (SaaS) companies, Paddle manages a complex tech ecosystem. As the company’s platform has grown, so has the need for a more scalable, proactive security solution to manage its external attack surface and maintain compliance with standards like PCI DSS and SOC 2 Type 2.
Paddle's tech stack consists of:
- Backend: Golang, PHP, Python
- Frontend: JavaScript/TypeScript, React
- Infrastructure: AWS
The Challenge: Gaining Visibility into a Dynamic Attack Surface
Before using ProjectDiscovery’s Enterprise tier, Paddle’s security team faced scalability and complexity challenges with their previous solution. They relied on open-source tools like Nuclei and Subfinder, often running manual scans and managing fragmented workflows.
Senior Application Security Engineer Gedas Skikas shared, “We didn’t have a centralized way to get a full view of our attack surface. New assets could pop up without our knowledge, creating potential vulnerabilities like subdomain takeovers.”
The Solution: A Centralized Open Source Security Platform
Seeking a more integrated approach, Paddle adopted ProjectDiscovery. Its cloud-based model and customizable templates immediately stood out.
“The out-of-the-box functionality allowed us to consolidate asset management, automate scans, and set custom compliance checks, eliminating the need for constant manual upkeep,” Skikas explained.
Paddle chose ProjectDiscovery due to its open-source roots. Having used tools like Nuclei before, the Paddle team trusted its reliability and active development. The open-source foundation meant continuous improvements and the ability to provide feedback, giving Paddle confidence in the platform’s evolving capabilities.
After evaluating several competitors, Paddle chose ProjectDiscovery for its unique blend of capabilities. The team appreciated working with an emerging platform where their feedback could influence product development. ProjectDiscovery's ability to create custom Nuclei templates and conduct targeted scans provided a tailored solution, while its competitive pricing offered exceptional value compared to more established providers.
Implementation: A Seamless Integration Experience
The onboarding process was quick and straightforward. Colin Barr, Head of Security and IT, described how easy it was to integrate the platform into their existing workflows:
“Setting it up was seamless. We fed our DNS records into the platform, and it immediately began monitoring assets and flagging issues.”
Integration with Existing Tools to Speed Secure Development
Paddle integrates ProjectDiscovery with key tools in its security workflow for efficiency and full coverage. Jira handles ticketing and service management, automatically creating tasks when ProjectDiscovery flags issues. This keeps the team organized and ensures vulnerabilities are addressed promptly. Webhooks connect the platform to Paddle’s SIEM, enabling real-time alerts and continuous monitoring.
For internal security, Paddle scans containers and infrastructure for vulnerabilities using their CNAPP platform, complementing ProjectDiscovery’s external attack surface monitoring. This integrated setup allows Paddle’s security team to cover both internal and external risks without adding extra manual work, helping them stay focused on essential tasks.
Results: Faster Discovery, Better Compliance, and Peace of Mind
After adopting ProjectDiscovery, Paddle saw immediate results. Subdomain takeover risks were flagged and mitigated before they could cause harm. Automated policy monitoring ensured ongoing PCI DSS compliance.
“We now discover vulnerabilities faster and with less effort, allowing us to focus on higher-value security work,” Barr noted.
The platform also provided peace of mind.
“It’s like having an insurance policy,” Barr reflected. “You don’t always see immediate returns, but when something critical surfaces, the platform proves its value.”
Conclusion: An Essential Partner for Long-Term Security
ProjectDiscovery has become a cornerstone of Paddle’s security strategy. By automating vulnerability detection and compliance monitoring, it allows the team to focus on delivering value to customers while staying ahead of potential threats.
Barr says Paddle’s use of ProjectDiscovery gives him peace of mind as a security leader, helping his team stay vigilant and prepared. They know that as new vulnerabilities emerge, they’re aware, alert, and ready to respond.