How Maverix helps to easily transform DevOps in to DevSecOps in Financial organizations
Our customer is a large European bank providing financial services to individuals and businesses in Europe and Asia with over $100 billion assets under management.
In the last three years, the bank adopted DevOps software engineering processes and implemented multiple tools. They use Nexus Repository, Bitbucket, TeamCity, Ansible, and Jira.
The bank also started introducing application security tools to support continuous security testing for each release. They use Checkmarx SAST to discover vulnerabilities in the source code proactively, Sonatype Nexus IQ to manage security in used open-source components, and Netsparker to test the application security in their staging and UAT environments.
The bank has over 150 applications, including front-end systems, applications for core banking, credit risks platforms, payment cards processing systems, and digital omnichannel services used by both businesses and consumers. Software engineering has over 1,000 application builds and more than 100 application releases going into production every week. Multiple internal and outsourced software engineering teams are involved in application development.
The software engineering organization made several attempts to implement DevSecOps by building custom integrations and writing proprietary scripts. However, these attempts to integrate application security testing tools with their DevOps tools and processes did not produce expected results.
The bank’s software security team developed multiple custom scripts to run security scans. These scripts would call Checkmarx, Nexus IQ, and Netsparker at certain stages of the DevOps process triggered from CI/CD pipelines. The security team manually triaged the discovered security issues and handed them over to the development team to fix them.
The intent was to use these scripts by all application development teams within the bank. However, they ran into several problems:
- Scripts required fine-tuning for each application development team;
- Scripts required a lot of effort to implement, and these modified scripts were complicated to support;
- This solution didn’t provide a central repository of security defects from all AST products. It was challenging to deduplicate security issues and prioritize which to fix first;
- Integration with software defect tracking became a challenge since security issues had a lot of false positives;
- The security team didn’t have a comprehensive list of vulnerabilities for each application;
- The current status of critical vulnerabilities was not clear;
- With the growing amount of applications and the underlying process, it was challenging to identify the most vulnerable applications and prioritize the efforts of software engineering teams;
- It was hard to track security defect fixing history. It was unclear whether a particular application version had fixed the security defect;
- The overall collaboration between security and development teams was a prolonged process. The identification of security defects took a lot of time. Developers had less time to fix the priority vulnerabilities before releasing the new application version into production.
To resolve these challenges, the bank decided to implement a purpose-built DevSecOps platform.
Maverix DevSecOps platform was thoroughly evaluated and then selected for implementation. The software security team conducted a proof of concept (PoC) by implementing the Maverix platform for one application.
The PoC demonstrated the ease of integration, convenience of centralized management of all application security tools across the whole application development life-cycle, transparency of defect management, assisted by AI algorithms vulnerability analysis to identify false positives, well-designed dashboards, and flexible reporting functionality.
The bank then organized the onboarding of their other software engineering teams to the Maverix platform. Some teams had already used the application security tools, and some had not yet used any of them. The teams needed to integrate Maverix with their existing application development CI/CD pipelines. In most cases, the teams accomplished such integration within a one-hour screensharing session with Maverix engineers. The development teams could retire many custom Python scripts they built for DevSecOps purposes previously.
After the onboarding session, the security team gained access to a centralized repository of all vulnerabilities already in the next application build.
- The Maverix platform allows them to see all security vulnerabilities for each application, track the open to the fixed ratio for security defects;
- DevSecOps metrics bring full transparency and allow them to prioritize their focus on the most vulnerable applications;
- The security teams were impressed with the software’s ability to analyze and prioritize security issues with the help of AI;
- They were excited with the platform’s ability to seamlessly deliver the confirmed issues to the defect tracking system (Jira) with all required data fields and tags;
- Developers could focus on the highest priority defects and have more time to fix the vulnerabilities before code release into production.
Two months later, the relevant dashboards allowed the security team to identify the development teams where the defect fix rate was lower than the average level across all the teams. The security team was able to initiate additional training to reduce the number of vulnerabilities in the future. They used a list of the most common vulnerabilities across all development teams they could quickly identify using Maverix.
The Maverix platform solves many challenges:
- Enabled DevOps to DevSecOps transformation in a matter of days;
- Performed seamless integration into the existing DevOps pipelines;
- Integrated software engineering with application security testing tools;
- Added security checks into existing CI/CD pipelines;
- Automatically ran security scans with the required configurations;
- Collected all the security scan results in one central repository;
- Detected false positives using AI algorithms and reduced the manual review effort;
- It allowed triaging and prioritization of security issues using an AI-based model for the application vulnerabilities correlation;
- Maintained a two-way synchronization with Jira to centrally track the security defect status and confirm the correction of such a defect.
Implementation of Maverix platform brought multiple benefits:
- It became possible to execute regular security scans of the bank’s applications and fix the priority security vulnerabilities on time;
- The security team got the required transparency of the security level for each application at any point in time and successfully managed their day-to-day operations;
- It could save the efforts of three engineers required previously to write, support, integrate, and fine-tune the custom scripts;
- The security team significantly reduced the time required to analyze application security;
- The number of development teams using application security tools has increased five times;
- The number of covered applications reached 40, with a plan to get 100 over the next few months.