About the customer
The company is an online fashion and cosmetic retailer, selling over 850 brands as well as its own range of clothing and accessories.
A cloud-forward Microsoft shop
The company is a cloud-first Microsoft shop that standardizes on Azure. They have an advanced architecture and modern DevOps process, shipping many updates per day via continuous deployment.
The development teams keep their code in Azure DevOps and use Azure Pipelines to run their CI/CD processes. They configure infrastructure using ARM and Bicep templates, and ship code using .NET and PowerShell.
Security architecture
To detect software vulnerabilities and infrastructure misconfigurations, the team uses Wiz, Snyk, Azure Defender, and Veracode. Security architects focus on identifying gaps and mapping the organization’s attack surface to mitigate risk and reduce the impact of potential exploits.
The challenges:
Despite being a cloud-forward organization, the team struggled with lack of pipeline visibility, security misconfigurations, and late stage issues:
1. Lack of pipeline visibility
The team’s security architects couldn't fully visualize the organization’s ever-changing software pipelines across development and production.
2. Misconfigured security
Because the team didn’t have a complete picture of the environment, they didn’t know whether their detection tools were effective; some pipelines were not correctly being monitored.
3. Alerts in production
Because they weren’t catching issues early in the development cycle, the organization wasn’t detecting issues until after production, where they posed the most risk and were the hardest to fix.
The solution: Dazz
- Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
- Reduce - Clean up the noise: deduplicate and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
- Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.
What's next?
The company security team is using Dazz as its central point of truth for its own work and for reporting across security architecture and business units. Next steps will be to use Dazz workflows to enable self-service remediation.