Success Story Whitespots: How iGaming Platform Scaled AppSec from 80 Assets/Year to 30k+ in 15 Minutes

#1. 🏢 About the Client Company

• Company: NDA
• Industry: iGaming
• Scale: 30k+ assets
• Region: Global

About the Client
A large international IT company specializing in the development of comprehensive White-Label solutions for launching and developing iGaming projects. The company operates on a modern technology stack: Kotlin/Java, Spring Boot, containerization (Docker/Kubernetes), CI/CD, enabling rapid development, testing, and deployment of microservice solutions to the market.

The platform’s service portfolio includes:

• Game aggregator
• Payment module
• Betting
• Affiliate platform
• AML & Antifraud Analytics
• Content management

Provides support during the launch phase and helps maintain the stable operation of the provided solutions.

High development speed, large number of releases, and distributed infrastructure necessitate the critical importance of proper Application Security process organization: without centralized, automated security management, it’s easy to lose control over vulnerabilities.

#2. 🎯 Prerequisites and Project Goals

Before implementing the Whitespots portal, the client company faced a number of systemic difficulties in AppSec. The growth in the number of services and active platform development led to existing security processes failing to cope with the ever-increasing workload. Therefore, implementing a unified AppSec platform was not just needed, but a necessary step.

Six months ago, we stopped and removed the DevSecOps infrastructure that we had been building for a whole year. It was a year of wasted time, a year of paying for a dedicated engineer, and dozens of hours of developers who implemented these pipelines. The main problems were systemic: fragmented management, lack of automation, inability to scale. CI\CD updates were rolled out via release train once every two weeks, and we had a separate depressing metric of how much the update had rolled out across the company. In general, a sad story. Without a centralized platform, we simply couldn’t keep up with the company’s growth pace.

Client’s CISO

#Main Problems

Slow and ineffective security integration

The existing approach allowed only about 80 repositories to be connected in a year — disproportionately small compared to the company’s development pace. This created a gap between the speed of development and the speed of vulnerability detection and remediation.

Fragmented DevSecOps infrastructure management

Regular API key rotation for DefectDojo and DepTrack turned into a multi-hour operation. The lack of a centralized point for managing security tools configurations meant changes had to be made in dozens of places. Each scanner version update required creating PRs in thousands of repositories. Simple changes turned into weeks of work and were postponed for months.

Lack of automatic filtering and validation mechanisms

Most of the work was done manually: engineers checked false positives, dealt with duplicates. There was no automatic false positive filtering - developers saw the same false positives in each release. Repetitive, outdated, or false findings accumulated. The security team spent most of their working time on manual validation, which reduced data quality and made teams’ work difficult.

Lack of a unified Vulnerability Management process

Each team worked according to their own rules and tools. There was no common understanding of the security state. There were no basic answers to questions: “How many active vulnerabilities do we have? How to assess the risk level of each of them?” Consequently, it was impossible to manage risks at the organization level.

Lack of transparency for business and metrics

Management could not promptly receive reliable information about the security state, determine vulnerability criticality, and manage risks. There were no tools for evaluating progress and SLA.

Inability to scale security to match development pace

Without automation and a centralized portal, even small changes caused chain delays, and the growing infrastructure required a significantly more efficient AppSec model.

The combination of these problems created a critical gap between development speed and the team’s ability to control security. Existing processes stopped scaling with the company, making it impossible to promptly identify, validate, and prioritize vulnerabilities. Therefore, the transition to a unified automated AppSec platform became not just an improvement of processes, but a necessary condition for further growth and development sustainability.

In my opinion, if we had simply done nothing with DevSecOps that year, and just collectively drank smoothies, it would have been better.

Client’s CISO

#3. ✨ Why Whitespots

As part of the Application Security process modernization project, the client company evaluated available solutions and chose Whitespots due to the following advantages: full stack of AppSec automation in one platform, automatic validation and deduplication of findings, integrations and compatibility with CI/CD and development infrastructure, flexibility, scalability and self-hosted approach, ease of management and transparency of security processes, rapid deployment and minimal entry threshold.

An important factor was also that Whitespots ensures a quick start: connecting repositories takes minutes. For a company with a large codebase and dynamic development, this is critical — security is implemented without noticeable delays and complex migrations.

It became clear that the advantages of the Whitespots portal perfectly meet current needs.

Any change in security tools configurations required edits in dozens of pipelines. There was no centralized management — we had to manually synchronize changes between hundreds of files. We needed a platform with an established process: from scanning and deduplication to automatic task creation. Not a set of separate tools, but a system through which all Application Security can be managed. Whitespots Portal provided exactly such a solution — all configurations in one place, all changes applied automatically.

Client’s CISO

Whitespots Portal was created so that companies can enable security immediately, without long integrations. In cooperation with a large iGaming platform, this was especially evident: a mature team quickly moved to a new level of AppSec without slowing down development.

Max Mosharov Whitespots CEO

#4. 📌 Key Tasks

To solve the accumulated problems and build a convenient, clear, and scalable AppSec process, the project team identified several key tasks. They reflected what was truly important for ensuring transparency, speed, and sustainability in security and development work.

1. Creating a unified security management center

Instead of fragmented processes, combine assets, vulnerabilities, statuses, priorities, and metrics in a single portal.

2. Automating vulnerability processing:

• automatic validation of scan results;
• deduplication;
• automatic mapping of vulnerabilities to services;
• automatic CVSS scoring.

3. Scaling the security process

Connecting thousands of assets within a reasonable time

4. Improving team collaboration

Integration with Jira to reduce delays, accelerate task handoff, and increase development teams’ accountability.

5. Ensuring transparency and manageability

Ability to generate metrics, SLA dashboards, risk trends, security state reports in real time.

#5. 🛠️ Implementation Stages

#1. Piloting and assessment of AppSec processes state (1 day)

The first step was connecting the client’s assets to the Whitespots portal and conducting a pilot analysis. As part of the pilot, the team assessed: asset structure, number of vulnerabilities, data quality from scanners, current ability of processes to scale with increasing code volume.

The pilot provided an opportunity to see security metrics, risk trends, and the actual picture of AppSec state in real time.

#2. Integration with development infrastructure and environment setup (1 day)

After a successful pilot, the stage of integrating Whitespots into the client’s infrastructure began.

This stage included:

• deployment of the platform in the client’s on-prem environment;
• integration with GitLab for connecting repositories and change control;
• integration with Jira for automated task creation and routing;
• creation of roles, access policies, and structured dashboards for development and security teams.

Complete technological readiness for work and infrastructure connection without disrupting existing DevOps processes was ensured.

#3. Setting up automation and data normalization (15 minutes)

After deployment, key automation modules were enabled that eliminate manual routine and increase data accuracy:

• Auto-Validator — automatic validation of scan results;
• Deduplication Engine — merging duplicate vulnerabilities and eliminating repetitions;
• Automatic CVSS — automatic criticality assessment;

We initially built into Whitespots Portal the ability to enable automation literally in minutes. In this specific case, it immediately allowed us to transition to a stable, predictable process of working with vulnerabilities without unnecessary manual workload.

Max Mosharov Whitespots CEO

#4. Team preparation and transition to operation

After setting up automation and integrations, the platform was ready for use by development and security teams.

This stage included:

• Demonstration of key work scenarios
• Briefing for the security team on working with the Whitespots portal;
• Setting up notifications for teams responsible for individual services;
• Verification of integrations correctness and automatic task routes;
• Testing data completeness and security flows.

Upon completion of preparation, DevSecOps teams moved vulnerability processing to Whitespots and began using the platform as the main Application Security management tool.

As a result, the nature of work with vulnerabilities completely changed: the need for manual verification disappeared, the number of false positive and duplicate results decreased, and a single “clean” data space appeared for further work.

Previously, we had no answers to basic questions: how many active vulnerabilities are identified by shift left tools, what is their priority, where are they located. After implementing Whitespots, we for the first time got a clear picture of the security state and were able to focus on truly critical tasks, rather than on manual data processing.

Client’s CISO

#6. ✅ Implementation Results

After Whitespots integration, the client received a centralized, scalable, and fully manageable Application Security model. Whitespots Portal eliminated the bottlenecks of manual processing, ensured high response speed, and brought security processes to a new level of transparency and efficiency.

Below are the key project results.

#Process Scaling

• 30k+ assets connected (repositories, domains, cloud accounts, hosts)
• Instead of the previous pace of ~80 assets per year, the company gained the ability to connect infrastructure almost instantly.
• All DevSecOps teams moved to a unified vulnerability management portal.

#Reduction in manual work volume

• Automatic validation mechanisms implemented.
• Processing automation reached 99%
• Teams were able to reduce labor costs and focus attention on real, critical tasks.

#Increased communication and response speed

• Real-time task notifications.
• Integration with Jira and Slack ensured instant appearance of tasks and notifications for responsible teams.
• The need to manually track statuses and coordination between departments disappeared.

#Stability and performance

• Whitespots portal works stably with 1M+ vulnerabilities, providing data opening and filtering in a second without interface and background process degradation.

#Economic effect and increased efficiency

• Through automation and scalability, Whitespots provided significant savings in man-hours.

Metric	Before	After
Asset coverage	80 assets / year	30k+ assets in 15 minutes
Manual work	100%	Automation up to 99%
Communication speed	Up to 1 month	Real-time notifications
Performance	Crashes at 500k vulnerabilities	>1M vulnerabilities, opens in one second
ROI	-	Significant savings in man-hours and AppSec acceleration
Transparency and metrics	Absent	SLA, metrics, risk trends, dashboards
Process maturity	Fragmented processes	Unified AppSec center

#Operational Load: Before and After

Task	Before Whitespots	After Whitespots
Integration API key rotation	8 hours + approvals	Automatic rotation
Scanner version update	3-4 weeks (PR in 30k+ repositories)	15 minutes
Scanning rule changes	Changes in each repository	Centralized configuration
False positive filtering	Manual check each time	Automatic deduplication 99%
New team onboarding in Vulnerability Management	Setting up process from scratch for each team	Automatically included in unified process
New repository connection	Manual pipeline and integration setup	Automatic connection in minutes
Getting vulnerability metrics	Manual data export and consolidation from different sources	Real-time dashboards and automatic reports
Scan result validation	100% manual work	Automation up to 99%

#7. 🗣️ Client Feedback

Previously, we had no mechanism for automatic false positive filtering. To fix something, we had to change each scanner’s configs separately.

We couldn’t just say: ‘Mark all triggers from test directories as invalid’.

Whitespots allowed us to fully automate not only vulnerability detection, but also their validation with 99% accuracy in just a few days. This fundamentally changed our work with Application Security.

Client’s CISO

#8. ➡️ Next Steps

After successful Whitespots implementation, the client formed a plan for further platform development aimed at increasing Application Security process maturity and strengthening automation.

Expanding coverage and including new teams

The company plans to connect additional product and infrastructure teams, as well as expand platform use in other regions of presence. This will unify security processes and ensure a single work standard for the entire organization.

Support for custom checks and extensible analysis logic

The client’s team is considering implementing additional, company-specific security checks. Expanding the rule set will allow adapting the platform to the unique features of architecture and development processes, such as internal policies, standards, and code quality requirements.

Integration of new internal scanners

Plans include connecting additional security data sources, including internal and custom scanners. This will increase asset coverage, improve analysis completeness, and allow combining all results in a single platform for further automatic processing.

Development of risk analytics

One of the priorities is deepening risk analytics: building more detailed risk models, expanding metric sets, and improving visualization. This will help management assess the current security level even more accurately and make strategic decisions based on data.

Automating report exchange and strengthening transparency

The next step will be automating the formation and delivery of security state reports. This will reduce time for preparing regular reporting and ensure continuous availability of current data for interested teams.