About the customer
The company is a provider of cutting edge prepaid products, services, and transaction technologies to retailers, brands, and consumers.
The company engineering team is in the process of cloud transformation, and has migrated approximately one-third of its development pipelines to the cloud, primarily on Azure, but they also have a footprint in AWS. The remaining software development is done on premises. The team uses GitHub and Azure DevOps for their code repository, Jfrog for their artifact store, and Jira for their ticketing system.
Efforts to secure development
The company’s security program includes scanning for software vulnerabilities and cloud misconfigurations both in the cloud and on premises, and prioritizing detected issues for remediation. They use a combination of scanning tools, including Qualys, Invicti Netsparker, Snyk, and Wiz.
Managing a fast-moving software development lifecycle both on premises and in the cloud led to several challenges, including having disparate views of risk, inconsistent pipeline governance, and difficulty finding code owners to assign remediation tasks. In addition, the team was overwhelmed with alerts, making it difficult to easily find and prioritize the ones that were most critical to the business. Specifically there were challenges around:
1. Unified view of risk
Because the team maintains pipelines and detects security issues both on premises and in the cloud, they struggled to present a single, unified view of the risk. This made it difficult to reconcile, deduplicate, analyze root cause of, and ultimately prioritize security findings and make them actionable for developers.
2. Cloud governance
The team found that they were not including all of their cloud-based pipelines in their Snyk monitoring program, which meant they weren’t getting the full benefit of a “shift left” security stance in their cloud environments. Moreover, they wanted to govern access in a more systematic way, implementing a “least-privilege” model for their critical resources, such as code repositories. Finally, the team wanted to shore up secrets in code to prevent inadvertent system or data exposures.
3. Alert noise
The team found that their security tools generated too much alert noise, mostly due to tool overlap and duplicate findings, and sometimes from detecting the same issue in multiple stages of development. This meant that just a handful of root causes could mushroom into hundreds of security alerts.
3. Finding code owners
One of the biggest problems the team dealt with was finding the code owner who either had introduced or would be responsible for remediating the vulnerability or misconfiguration that prompted the alert. The team was distributed across pipelines and environments, and there wasn’t enough traceability to know who was responsible for what, which led to elongated remediation times.
The solution: Dazz
To address these issues, the company invested in the Dazz Remediation Cloud. With a simple API-based integration, the team connected Dazz to the company’s cloud and on-premises code repositories and detection tools to map its development pipelines. In a single pane of glass, Dazz showed them their development resources mapped across their pipelines, a unified view of risk, and gaps in governance and access control. They could see active code repositories that their software composition analysis tool Snyk wasn’t monitoring, and shore up coverage to 100%. Dazz helped them pinpoint opportunities to align access with policy, such as shutting off unneeded access to code repositories and enforcing a least-privilege access control process.
With Dazz, the team was alerted to secrets in code, leading them to resolve 85% of the secrets within the first two weeks of the program, and a short-term plan to fix the rest. They deduplicated security findings and collapsed them to a fraction of root causes, reducing alert noise by XX%. Finally, they used Dazz to automatically assign nearly all of the issues to the owners responsible for remediation - a big step in the direction of their vision of self-service remediation.
Going forward, the team will roll out Dazz to all developers, and facilitate efficient remediation over a broader swath of their cloud environments, including systems that contain sensitive corporate and customer information, such as payment card industry (PCI) data.
- Discover - Understand the deployment process from code to cloud, unify cloud risk from all tools, and identify architecture gaps.
- Reduce - Clean up the noise: deduplicate and prioritize CVEs and misconfigurations based on their unique root causes, and automatically find their owners.
- Fix - Concise, contextual, and actionable process for remediation, from detection to deployment.
The company security team is using Dazz as its central point of truth for its own work and for reporting across security architecture and business units. Next steps will be to use Dazz workflows to enable self-service remediation.