About the customer
The organization is a multinational diversified manufacturing company. It is the third-largest global electronics manufacturing services original design manufacturer, and has manufacturing operations in over 30 countries.
Cloud journey
The company is early in its digital transformation journey, and maintains a very diverse environment. Some teams are running private cloud environments, while others continue to rely on a more traditional data center. The group Dazz engaged with runs its software development lifecycle (SDLC) in a modern private cloud. The development team delivers applications that run and optimize the company’s manufacturing processes. The company deploys applications to a Kubernetes containerized environment using OpenShift for orchestration, uses Azure DevOps for its code repository, and builds and deploys images using Azure Pipelines.
Secure development process
To detect cloud vulnerabilities and misconfigurations, the security team uses a number of tools. It relies on Harbor to scan containers and Checkmarx for static code analysis and software composition analysis.
The challenges:
Despite a solid start to its cloud journey, the company found a few challenges with its setup. The team needed to ensure safe, compliant cloud usage; unify risk and streamline the remediation workflow so that as development projects grew the cloud security process would still be sustainable.
1. SDLC governance
The team found overly-permissive policies in tools like Azure DevOps.
2. Unified risk management
With tools ranging from SCA to container and secrets scanning, the company needed a single view to aggregate, normalize, and take action on detected risk.
3. Inefficient remediation
The process for remediating vulnerabilities and misconfigurations was manual, and developers were spending more time on fixing issues than on building applications.
The solution: Dazz
To address these challenges, the company invested in the Dazz Unified Remediation Platform. They connected Dazz to their code repository to discover and map their code-to-production development pipelines. They were able to see all of their risk in a single view, as well as identify misconfigurations and unenforced policies per their cloud playbook.
Using Dazz, they identified the code owner of each unique issue based on a machine learning review of the code repository, which provided a deeply contextual root cause analysis for each issue. Ultimately they were able to remediate more than 99% of their alerts.
- Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
- Reduce - Clean up the noise: deduplicate and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
- Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.
What's next?
Next up for the company is a truly developer-driven remediation program in which developers can log into Dazz, see all of the issues that pertain to them, learn their root causes, and be presented with several choices for fixing them right in their workflow.