Payment technology company

“As we increasingly migrate software development efforts to the cloud, we need a single view of our cloud risk in order to govern pipelines, enforce access, and make remediation as easy and efficient as possible for our fast-moving development team.”

Chief Information Security Officer

Company
Annual Revenue
Environments

Azure, AWS, Wiz, Snyk

Challenges

- Unified risk management

- Pipeline governance and security

- Too much alert noise

- Difficulty finding code owners

Results

- Unified risk with single dashboard across pipelines

- Governed pipelines: 100%

- Enforced access: least-privilege

- 85% of secrets in code resolved in 2 weeks

- Reduced alert noise: 43%

- Auto-assigned 93% of issues to code owners

About the customer

The company is a provider of cutting edge prepaid products, services, and transaction technologies to retailers, brands, and consumers.

The environment

The company engineering team is in the process of cloud transformation, and has migrated approximately one-third of its development pipelines to the cloud, primarily on Azure, but they also have a footprint in AWS. The remaining software development is done on premises. The team uses GitHub and Azure DevOps for their code repository, Jfrog for their artifact store, and Jira for their ticketing system.

Efforts to secure development

The company’s security program includes scanning for software vulnerabilities and cloud misconfigurations both in the cloud and on premises, and prioritizing detected issues for remediation. They use a combination of scanning tools, including Qualys, Invicti Netsparker, Snyk, and Wiz.

The challenges:

Managing a fast-moving software development lifecycle both on premises and in the cloud led to several challenges, including having disparate views of risk, inconsistent pipeline governance, and difficulty finding code owners to assign remediation tasks. In addition, the team was overwhelmed with alerts, making it difficult to easily find and prioritize the ones that were most critical to the business. Specifically there were challenges around:

1. Unified view of risk

Because the team maintains pipelines and detects security issues both on premises and in the cloud, they struggled to present a single, unified view of the risk. This made it difficult to reconcile, deduplicate, analyze root cause of, and ultimately prioritize security findings and make them actionable for developers.

2. Cloud governance

The team found that they were not including all of their cloud-based pipelines in their Snyk monitoring program, which meant they weren’t getting the full benefit of a “shift left” security stance in their cloud environments. Moreover, they wanted to govern access in a more systematic way, implementing a “least-privilege” model for their critical resources, such as code repositories. Finally, the team wanted to shore up secrets in code to prevent inadvertent system or data exposures.

3. Alert noise

The team found that their security tools generated too much alert noise, mostly due to tool overlap and duplicate findings, and sometimes from detecting the same issue in multiple stages of development. This meant that just a handful of root causes could mushroom into hundreds of security alerts.

3. Finding code owners

One of the biggest problems the team dealt with was finding the code owner who either had introduced or would be responsible for remediating the vulnerability or misconfiguration that prompted the alert. The team was distributed across pipelines and environments, and there wasn’t enough traceability to know who was responsible for what, which led to elongated remediation times.

The solution: Dazz

To address these issues, the company invested in the Dazz Unified Remediation Platform. With a simple API-based integration, the team connected Dazz to the company’s cloud and on-premises code repositories and detection tools to map its development pipelines. In addition to connecting to code repos and security tooling, Dazz correlates data from AWS services, such as CloudTrail, ECR, and SecurityHub to unify security visibility across the customer’s development and infrastructure. This allows customers to easily prioritize and triage millions of security findings down to a few high priority remediation actions, measurably reducing risk exposure.

In a single pane of glass, Dazz showed them their development resources mapped across their pipelines, a unified view of risk, and gaps in governance and access control. They could see active code repositories that their software composition analysis tool Snyk wasn’t monitoring, and shore up coverage to 100%. Dazz helped them pinpoint opportunities to align access with policy, such as shutting off unneeded access to code repositories and enforcing a least-privilege access control process.

With Dazz, the team was alerted to secrets in code, leading them to resolve 85% of the secrets within the first two weeks of the program, and a short-term plan to fix the rest. They deduplicated security findings and collapsed them to a fraction of root causes, reducing alert noise significantly. Finally, they used Dazz to automatically assign nearly all of the issues to the owners responsible for remediation - a big step in the direction of their vision of self-service remediation.

Going forward, the team will roll out Dazz to all developers, and facilitate efficient remediation over a broader swath of their cloud environments, including systems that contain sensitive corporate and customer information, such as payment card industry (PCI) data.

  • Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
  • Reduce - Clean up the noise: deduplicate and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
  • Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.

What's next?

The company security team is using Dazz as its central point of truth for its own work and for reporting across security architecture and business units. Next steps will be to use Dazz workflows to enable self-service remediation.

Results summary

Unified risk
single pane of glass

Resolve 85% of secrets
in code in 2 weeks

Shored up governance:
60 -100%

Reduced alert noise
by 43%

Enforced
least-privilege access

Automatically assigned  
93% issues to code owners

See Dazz for  yourself.

Get a demo