easyfundraising® is the UK’s biggest charity shopping site. Since 2005 it has helped thousands of good causes turn everyday shopping into free donations. It currently has partnerships with over 7,000 brands who will donate part of what a shopper spends on their websites to a good cause of the shopper’s choice. The consumer doesn’t pay any extra. The cost of the donation is covered by the brands. easyfundraising works with well known, respected retail brands including Amazon, eBay, Argos, M&S, Just Eat, Sky and Expedia.
The business model is that both brands and good causes register to participate on the easyfundraising website. Brands pay easyfundraising a commission when purchasers start their shop from the easyfundraising website or app. Shoppers choose which good causes to support by linking them to their accounts. Fundraisers range from major charities – including Macmillan Cancer Support, RSPCA, Save The Children and Stonewall – through to individuals, local community groups and charities.
easyfundraising keeps track of the donations generated by the shopping of each user. The shopper can see these totals instantly online. Similarly running totals are displayed for the number of supporters and the amounts generated for each good cause. Payments to the good causes are made every three months. easyfundraising enjoys a fantastic 4.6 rating on Trustpilot.
On its website easyfundraising tells its users, “If you make a purchase, a commission is generated, and we turn that into a donation - magic!” Actually making the magic happen in a simple, stable and secure way requires robust systems behind the scenes.
The Challenge - In a high visibility sector platform stability is critical for e-commerce cybersecurity
easyfundraising operates online in a highly visible part of the fundraising and charity sector. With over 2 million online shoppers, 7,000 respected brands and 170,000 good causes participating via the company’s website and app, easyfundraising needs to ensure the stability of its e-commerce platform to safeguard its own brand and reputation, especially in a sector where trust is of paramount importance.
System availability and ease of use are key to delivering a great experience for shoppers, retailers and good causes. Security, compliance and data protection considerations must be at the forefront of all actions both in the day to day running of the systems which underpin the website and app, as well as in future developments and how these changes are introduced.
easyfundraising needed a cost-effective solution that would automatically identify known security bugs and compliance risks as part of workflow tooling to help it manage risks in the open source software supply chain. It wanted to replace its manual, ad-hoc approach to testing open source supply chain security which had evolved over time, and to reduce or eliminate the risk of licence breaches.
The Solution - Open Source components mapped and managed
“The easyfundraising software development team proactively de-risks software builds from known security bugs and IP licence risks with Meterian.”
CTO at easyfundraising
easyfundraising selected and implemented Meterian Boost Open Source Security (BOSS) Scanner to enhance the testing of its open source supply chain and to secure and streamline the management of vulnerabilities and licences in the whole software development life cycle (SDLC). Meterian BOSS gives instant visibility to applications’ open source dependencies with automated discovery, risk scoring, continuous scanning, and actionable security insights.
easyfundraising used the BOSS Insights Dashboard to identify the 3,200+ components of its open source supply chain and to identify elements which are vulnerable, have licence violations or missing licences. This greatly improved the accuracy of data and provided the insights needed to guide software development processes, enhance quality control procedures, and inform risk management teams on where to focus mitigation activities.
The Outcome - Secure by Design principles lead to increased confidence and improved productivity
“Automating the software bill of materials report for our applications gives us the visibility to see and manage our use of third party open source software. Developers can easily keep our applications stable and up to date, and I can easily see at any time what the risks are and what we can do to mitigate the risk.”
CTO at easyfundraising
There was a complete implementation of DevSecOps strategy with Meterian BOSS to manage third party open source component risks, with seamless integration into existing developer workflows for legacy and new coding projects. easyfundraising can now continuously manage governance, risk, and compliance of its open source software to ensure the stability of its platform.
The organisation continues to increase the quality of its systems by assuring the open source dependencies, as well as increase confidence in application security of their platforms and APIs. The nimble team of developers grows in impact as it scales up its e-commerce cybersecurity efforts to be more proactive and preventative. “When presented with Meterian’s solution– a comprehensive and high-precision analysis that is performed throughout the SDLC, we immediately shifted from our internal solution to Meterian’s,” says CTO Richard Pogson, “Developer productivity to address security vulnerabilities and licensing risks faster and more thoroughly has increased.” This fulfils a two-pronged initiative that the management board cares about: happy productive software developers and reliable systems to help sustain easyfundraising magic for over 170,000 good causes.
“Meterian enables us to increase security and productivity.”
Lead Architect at easyfundraising
〉Location: Staffordshire, England
〉Industry: Fundraising/Charity sector
CTO at easyfundraising
“Assuring the value of our technology from both e-commerce cybersecurity and intellectual property vantage points are an important part of ensuring growth and sustainability of our platform, which services over 170,000 good causes across the UK. Working with Meterian was quick and straightforward, allowing us to onboard legacy and new coding projects with a DevSecOps approach and apply Secure by Design principles in our software development practice.”