CUSTOMER STORIES | TIMELY
Helping Timely build secure applications from design to delivery
Timely needed secure development training to help them reduce their application risk and give their customers the highest quality digital product possible.
As firm believers in cyber security being a shared responsibility, Timely appreciates how SafeStack helps them build secure development practices into their software development lifecycle, from initial design all the way through to product delivery.
“Providing high-quality security training to our product teams is a cornerstone of our overall plan for creating a more secure product and software delivery lifecycle, and SafeStack meets our needs perfectly.”
Information Security Lead, Timely
Founded in Dunedin, New Zealand in 2011, Timely provides powerful online booking and business management software to about 20,000 businesses in the beauty industry around the world.
Their team of over 100 remote workers is spread across the globe, with offices in New Zealand, Australia, and the United Kingdom.
Timely’s product teams include about 30 developers and quality assurance testers, who are all enrolled in SafeStack’s Secure Development program and are working their way through all the available content. Timely’s product owners also get access to SafeStack courses so they can improve their cyber security knowledge.
Prioritizing trust and application security
In 2019, Timely was growing steadily, and it was time for them to bring payment services into their software. Understandably, making sure customers could trust Timely was — and still is — a high priority.
As an organization using Agile methodologies, Timely’s developers were delivering code several times a day, and they needed to be sure security was built into their app from the start. A key part of this was their people having the confidence to do their own threat assessments, as well as understanding and properly implementing security requirements.
Our main driver for training our teams in secure development is the need to deliver secure code. Security should be the responsibility of all teams — not only the security team — and it needs to be considered from design to delivery.
Camille Marsigny, Information Security Lead
Before Timely signed up for SafeStack, they’d worked with our advisory team (now operating as SafeAdvisory) to improve Timely’s security governance. Following on from this, Timely wanted to boost their product security and their team’s overall level of cyber security knowledge.
When SafeStack launched in 2020, Timely joined as an early customer and have seen great results since then.
The right combination of secure development content
Timely needed courses that covered high-level security principles and concepts, as well as more in-depth content with concrete examples of implementation.
With its combination of these elements as well as hands-on labs where learners can test their knowledge, SafeStack’s Secure Development program has proven to be the perfect fit for Timely.
Camille notes that SafeStack’s systems-level approach to secure development means the courses cover a wide range of security concepts, and says they appreciate the monthly seminars and regular course releases.
SafeStack’s labs were a great way to reinforce key security concepts. They were fun, too!
Elwyn Benson, Front End Development Lead
Having joined in the early days of SafeStack, the Timely team has also enjoyed seeing new features and content become available. They mention the clarity of course content and using the labs as a way to apply the concepts they learn as particular highlights of their learning experience so far.
Incentivizing training with friendly competition and support
Because this was the first security training program Timely had introduced, they wanted to do everything they could to make it a success.
They set up a challenge between their product teams, with the winning team (who won a session at an escape room) being the first one to have all their developers and testers complete three of the foundational courses:
Timely also supported their learners by running a workshop to help people solve the labs and develop their understanding of concepts if needed.
The combination of these initiatives has made the uptake and completion rates for the Secure Development program something Timely can be proud of. All their developers and testers have now completed the three courses mentioned above, and these courses are also built into onboarding training for new hires in these roles.
Measuring cyber security success
At the same time as Timely rolled out SafeStack training, they also began using an automated risk assessment that product teams run during refinement sessions for each of their work items.
One of the main requirements of having security training in place was to help Timely’s product teams understand what the risk assessment was telling them, as well as the security requirements it was generating.
Between the training and the risk assessment, Timely has found its product teams are now more aware of their impact on application security and they’ve developed new and improved security habits.
We’re definitely catching more vulnerabilities before delivery now, which means we’re reducing application risks.
Camille Marsigny, Information Security Lead
As Timely continually improves its software delivery lifecycle, they plan to keep training their developers and testers through SafeStack, with the potential to enroll more of their team as well.
We’re thrilled to help Timely strengthen the security of their product and we look forward to seeing what improvements they’ll make next.