The tool provides centralised security information from over 14,000 code repositories, enabling clients to quickly locate vulnerabilities, identify trends, and respond to zero-day vulnerabilities, leading to increased adoption of security technology and more time for the development team to focus on coding.
Our client, a British media and telecommunications company, was looking to increase the DevOps capabilities across their organisation and to ensure that security was an embedded part of the development process.
They had multiple security tools in different places that they needed to access separately which led to a lot of context switching when it came to looking for the results. This slowed down the development processes and made it harder for the developers to see where all of the security issues were.
On top of this, they did not have centralized CI/CDs and instead had different pipelines running for individual developers or teams.
These issues were a huge point of frustration for the development team and meant that the adoption of security tools was not as it should be, which in turn increased the risk of vulnerabilities in the code.
Management could not see a clear picture of all the vulnerabilities and they did not have an efficient way of taking action on any serious security issues that were identified.
RiverSafe was engaged initially to address the issue of context switching and to allow for the results to be sent over to the developers without them needing to access multiple security platforms.
The RiverSafe team created an integration script for the developers to execute when they were running their pipelines. Once triggered, the script would send a notification to a server that RiverSafe had specifically designed, which collated the identified vulnerabilities and relayed them back to the developers’ pull request. This ensured the development team got the information they needed to improve the security of their code.
After launching, RiverSafe continued to work on general improvement requests on this tool such as quality improvements, maintenance, and improving the integration via the shell scripts.
The next phase: Developing the data insights
RiverSafe consultants worked alongside the client’s team to take all the security data that was being collected and, rather than sending it to individual developers’ pull requests, instead created and directed it to a pane-of-glass tool.
This tool allows the developers to log in and see their repositories and projects in one place. For management, it allows them to have a complete picture of all the vulnerabilities and what they are impacting, on both individual repositories or a given product.
The tool also allows them to build reports and includes a scoring model to give a visual rating so everyone can easily see if their repositories are secure or not. The scoring system, ranging from insecure to excellent sends alerts to let the developers know if their repositories fall below a certain level so they don’t need to continually monitor themselves. The RiverSafe team also provides advice on the steps that should be taken to remediate any identified vulnerabilities.
A key requirement of this tool was that it supported multiple security operations including SAST (Static Application Security Testing) which would look at code smells and general quality of life, Source Code Analysis (SCA) which would look at which libraries are being used and also Secret Scanning to look for secrets in the code.
RiverSafe also wanted to ensure that all of this is serverless on AWS to minimise the time spent on infrastructure maintenance.
The tool reports on over 14,000 code repositories in one centralised place, allowing the client to see all of their security information, what libraries were most common, where the vulnerabilities were, and to start looking for trends.
A huge benefit has been in the response to zero-day vulnerabilities. Previously these issues could have taken weeks or even months to find all the affected repositories. This tool allows them to immediately locate which repositories have the vulnerable package and start remediation.
The development team is now able to focus more time on the code and, as the process of identifying and remediating vulnerabilities has been made so much easier, the adoption of security technology has increased significantly.
RiverSafe and the client’s team are now working on expanding coverage throughout the organization, improving analytics and alerting further, and are looking to centralise their CI/CD pipelines.
Book a consultation
Get the perspective and insight you need to create unified solutions and make informed business decisions.