Company
Annual Revenue
Environments
Challenges
Results
About the customer
The company is a global long-short equity asset management firm focused on innovation across fundamental research, computer-driven trading, macro investing, and venture and growth strategies. The company has more than $28 billion in assets under management (AUM) and 2,300 employees.
The environment
The development team, who is responsible for delivering applications for financial analysis, trading, crypto, and more, run their environment both on premises and in the cloud. Most of their cloud environment is in AWS, but they also use Google Cloud and Azure. Their cloud toolset includes Bitbucket for their code repository, JFrog for artifact management, Terraform for infrastructure definition, Jenkins for CI/CD automation, Docker for containers, and Jira for service management.
Efforts to secure development
The company’s security program includes monitoring its software development lifecycle (SDLC) both on-premises and in the cloud. They use a combination of Snyk (SCA and SAST) Rapid7 InsightVM, AWS CloudTrail (audit logs), and Wiz (CSPM). With this mix of tools, the security team detects a variety of code flaws, vulnerable third-party components, and cloud misconfigurations and orchestrates remediation.
The challenges
As their development efforts grew over time, the team experienced unsustainable alert noise, insufficient pipeline visibility, secrets in code, and inefficient remediation. Specifically:
1. Alert noise
The company’s tools generated too many alerts on the vulnerabilities and misconfigurations in their environment. Many of these were duplicates, with just a handful of root causes mushrooming into hundreds of alerts. Indeed, some types of vulnerability alerts overlapped by nearly 90%. In one example, a single base image flaw propagated to 30 images and led to 2,636 production alerts.
2. Pipeline visibility
The team lacked a unified view of their development pipelines. With multiple tools, both on-premises and in the cloud, they could not easily see all their risk and the status of remediation in a single view.
3. Secrets in code.
The team discovered that some of its code contained secrets, such as API keys, that could lead to sensitive data exposure. They needed a way to shore up discovered secrets and prevent them from recurring in future codebases.
4. Inefficient remediation.
With a large, diverse environment, the organization realized it didn’t have an efficient way of prioritizing and teeing up remediation of discovered issues. This included working with their Jira ticketing system to ensure format consistency, aggregation of like tickets, and reporting on remediation progress vis-a-vis its service level agreements.
The solution: Dazz
To address these issues, the company invested in the Dazz Remediation Cloud. With a simple API-based integration, the team connected Dazz to the company’s cloud and on-premises repositories and detection tools to map its development pipelines. In a single pane of glass, Dazz showed them all of their development resources and how they were integrated, sussed out secrets in code, reduced alert noise to a fraction of root causes, and worked with their team to orchestrate an efficient remediation process.
- Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
- Reduce- Clean up the noise: deduplicate alerts and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
- Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.
What’s next
Next up for the company is a truly developer-driven remediation program in which developers can log into Dazz, see all of the issues that pertain to them, learn their root causes, and be presented with several choices for fixing them right in their workflow.
