Home Cases How Trendyol Uses Invicti ASPM to Automate Security
Cases

How Trendyol Uses Invicti ASPM to Automate Security

Industry: E-Commerce

Company: Trendyol

Location: Türkiye

Product: Invicti ASPM

Trendyol’s Story on Security Automation and AppSec Efficiency with Invicti ASPM.

Challenges

  • There was not enough security automation to keep up with the pace of software development.
  • Lack of transparency complicated assessment of the effectiveness of the AppSec program.
  • Poor orchestration made it difficult to put all the pieces together.

About Trendyol

Founded in 2010, Trendyol has grown to become the largest e-commerce company in Turkey, achieving decade-old manufacturer status in 2021. Following investments in 2018, the company also began serving many European countries and expanded into new business lines such as second-hand clothing and custom delivery. The large-scale operations and rapid growth of the technical team required an effective and scalable AppSec program to keep up with the company’s rapid growth, accompanied by an increase in the number of applications.

Situation

With the development teams growing day by day, it was difficult for security teams to ensure that applications were delivered to production without exploitable vulnerabilities. Manual processes were time-consuming, and since security and development teams worked in isolation, the lack of collaboration prevented security from being an integral part of the software development processes.

The multitude of findings discovered through various automated tools and manual testing were scattered across different interfaces, which was challenging for the security team.

That is when Invicti ASPM crossed paths with Trendyol’s team, and with their vision of supporting promising security startups, they began working together to find creative solutions to the problems.

Invicti ASPM Approach

  1. Initially, to avoid wasting time on manual scans, all Trendyol scanners were connected to the Invicti ASPM platform to run scans in an automated manner using a planner and a CLI to run tests in pipelines.
  2. To ensure a self-sufficient approach to security, new applications created by development teams were automatically pushed from the source control tool to Invicti ASPM via the CLI. This way, security teams did not have to deal with creating new applications in the security tools every time a new application was created in the source control tool.
  3. Various open source security tools were also used in the process before Trendyol invested in commercial alternatives. These solutions were customized according to the company’s needs to focus on priority vulnerability types.
  4. For grouping based on risk profile, applications were given labels based on threat modeling. Different automation rules were created for different labels, as applications with high-risk profiles required faster response than others.

Results

  • Creating a CI/CD pipeline where every security test is executed through the CLI from Invicti ASPM quickly made manual scanning redundant, and security has become an integral part of the pipelines for over 3,000 applications.
  • Security and development teams receive instant notifications of scan results in their Slack channels to ensure that no critical vulnerability goes unnoticed.
  • By combining the results of automated tools with vulnerabilities discovered in manual activities such as penetration tests, manual reviews, and bug bounty, the overall security posture can be easily tracked on a single platform where development and security teams can better understand each other.
  • Tickets are created by security teams on Jira developer boards through the Invicti ASPM user interface, and patch rates can be measured to determine if everything is going well. When a developer closes a flaw, Invicti ASPM automatically runs a scan and reopens the issue if the scanner re-discovers the vulnerability.
  • To prevent future vulnerabilities from recurring, developers are assigned personalized courses on writing secure code with Codebashing through the Invicti ASPM user interface after analyzing the types of vulnerabilities introduced into the source code by each developer.
  • By using this risk-based approach to create separate automation rules for different applications, security teams have ensured that they quickly detect vulnerabilities that pose a real threat, with minimal human effort.
  • By leveraging the full orchestration and automation capabilities of Invicti ASPM, Trendyol has succeeded in creating a scalable and automated AppSec application that is also developer-friendly.

Other materials on the topic

CISO ASPM Invicti

Why CISOs Need ASPM Reporting

13.02.2026
Ödeal Invicti ASPM

Invicti ASPM Case Study: How to Build a Security Program from Scratch?

25.12.2025
ASPM Application Security Posture Management

10 Benefits of ASPM for Application Security

01.12.2025

Підписатися на новини

    Leave your contact details and we will get in touch with you