From Zero Visibility to Clarity Across 22,000 Code Repositories

Customer success story

Delivering visibility into more than 22,000 code repositories, the tool vastly increases operational efficiency by providing a single location for data on vulnerabilities. As well as offering increased visibility into their overall security posture, this streamlined solution also frees up the development team to focus on coding.

The challenge

Our client, a British media and telecommunications company, was looking to increase operational efficiency, save time spent on identifying and addressing vulnerabilities and reduce risk by increasing visibility across their environment.

With multiple security tools in different places, security data was siloed and needed to be accessed separately. This led to long periods of time spent jumping between tools to find data, and a lot of context switching when it came to looking at the results.

Developers, security teams and senior directors were forced to search in multiple places for critical, often time-sensitive information about vulnerabilities.

Not only did this eat into their valuable time, but it also meant they had no overall visibility into the organisation’s security posture. This lack of visibility significantly hampered the development process, as developers struggled to locate and address security issues.

In addition, the organisation did not have centralised CI/CDs, instead running different pipelines for individual developers or teams.

Combined with poor visibility, this lack of efficiency was causing major frustration for the development team, slowing down development and increasing the risk of vulnerabilities in the code going undetected.

The solution

RiverSafe was initially brought on board to address the issue of decentralised security data, and help improve operational efficiency.

The team’s goal was to allow for the results to be sent directly to the developers without them needing to access and search multiple security platforms to find the information they needed.

The RiverSafe team created an integration script for the developers to execute when they were running their pipelines. Once triggered, the script would send a notification to a server that RiverSafe had specifically designed, which collated the identified vulnerabilities and relayed them back to the developers’ pull request. This ensured the development team got the information they needed to improve the security of their code.

The next phase: Developing the data insights 

RiverSafe consultants worked alongside the client’s team to take all the security data that was being collected and, rather than sending it to individual developers’ pull requests, instead created and directed it to a pane-of-glass tool.

This tool allows the developers to log in and see their repositories and projects in one place. For management, it allows them to have a complete picture of all the vulnerabilities and what they are impacting, on both individual repositories or a given product.

The tool also allows them to build reports and includes a scoring model to give a visual rating so everyone can easily see if their repositories are secure or not. The scoring system, ranging from insecure to excellent sends alerts to let the developers know if their repositories fall below a certain level so they don’t need to continually monitor themselves. The RiverSafe team also provides advice on the steps that should be taken to remediate any identified vulnerabilities.

A key requirement of this tool was that it supported multiple security operations including SAST (Static Application Security Testing) which would look at code smells and general quality of life, Source Code Analysis (SCA) which would look at which libraries are being used and also Secret Scanning to look for secrets in the code.

RiverSafe also wanted to ensure that all of this is serverless on AWS to minimise the time spent on infrastructure maintenance.

After launching, RiverSafe continued to work on improving this tool, making quality improvements, performing maintenance, and enhancing the integration via the shell scripts.

The outcome

The tool now brings together data from over 22,000 code repositories into one centralised place, allowing the client to see all of their security information, what libraries were most common, where the vulnerabilities were, and to start looking for trends.

Developers and other stakeholders no longer need to scour multiple locations for vulnerability data, saving the company huge amounts of time and making its development process more efficient. With the bespoke script in place, the data comes to them.

This increase in visibility has also led to improvements in response times to zero-day vulnerabilities. Previously, it could take weeks or even months to find all the affected repositories.

However, since implementing RiverSafe’s custom tool, the team has been able to locate repositories featuring the vulnerable package immediately and remediate any issues quickly, massively improving their overall security posture.

Thanks to this uplift in operational efficiency, the development team is now able to spend more time improving their code.

RiverSafe and the client’s team are now working on expanding coverage throughout the organisation, improving analytics and alerting, and centralising CI/CD pipelines.

Book a consultation

Get the perspective and insight you need to create unified solutions and make informed business decisions.