How Maverix helps to improve security KPI’s and keep Time-To-Market at the target level at the same time

The customer is a leading European logistics company providing parcel and mail delivery services to consumers and businesses. Moreover, they are continuously developing custom applications for the digitization of their business.

Internal software engineering teams and distributed outsourcing teams produce hundred new releases every month. Software engineering infrastructure includes GitLab, TestRail, Artifactory, TeamCity, YouTrack, and Jira. The customer has 60+ applications with 40 МSLOC (Million Source Lines of Code) covered by DevOps processes and 50+ development teams working on them.

The customer has strict software security requirements. Business applications are one of the most critical components for their operations.

The accelerated DevOps development processes and the increasing number of applications led to new challenges for the software security team. At the end of the development cycle, manual security checks had to be replaced with frequent security scans since they became ineffective. The technical debt of security issues was growing along with the general risk of exploiting vulnerable software. Shifting to DevSecOps became an obvious requirement.

Hence, the company decided to integrate automated security testing practices into the software engineering cycle and run a holistic software vulnerability management process. The whole idea is to reduce the security risks and keep the required Time-To-Market for constantly evolving digital products and services. For this purpose, the company should quickly and reliably perform various application security processes such as static code analysis, open-source components analysis, container analysis, and dynamic application security testing.

With the increasing complexity of DevOps infrastructure and application release frequency, it is impossible to perform these processes manually. The customer then decided to introduce Application Security Testing (AST) tools and use an Application Security Testing Orchestration platform to implement DevSecOps.

The customer’s software security team did not have sufficient experience in security processes automation. As a result, one of the requirements was to provide consulting on implementing effective automated security processes and corresponding metrics.

The customer selected the Maverix platform following the defined requirements.

The software security team conducted a Proof of Concept. One of the applications was onboarded to Maverix to test the platform’s capabilities. The convenient centralized management of the AST tools enabled smooth integration into the existing software development process. The PoC demonstrated transparent defect management and AI-based algorithms for security issues analysis.

The customer decided to onboard the most critical 30 applications upon completion of the PoC.

A series of onboarding meetings with development teams helped integrate Maverix and security testing practices into the software development cycle for each team. In most cases, the integration was completed within a one-hour screen sharing with Maverix engineers.

Maverix provided a single interface to manage all stages of security testing and set up security quality gates. The DevSecOps processes were fully automated.

Onboarding was successful, and Maverix demonstrated the results of security testing practices implemented to the software security team in the next release. Besides, Maverix precisely triaged security issues for each application by leveraging its AI capabilities. Their resolution status was updated automatically after each release. The software security team was able to prioritize these issues and remove false positives with the help of Maverix’s AI algorithms. The security team appreciated the easy way to deliver the security defects to developers using Jira and YouTrack.

Developers’ feedback was also positive primarily because they could receive security bugs directly to Jira and YouTrack as tickets instead of long reports in pdf format. They were happy to see that the Maverix platform didn’t slow down the software engineering cycle.

The management team received metrics to track the application security status and progress on the company level.

With the Maverix implementation, the application’s Security Risk Density decreased by 43% within the first year. The Security Technical Debt decreased by 35%. It also helped keep Time-To-Market at the target level.

There were no delays with application releases raised by the software security team. Management, development teams, and the security team noted significant improvements in the software delivery processes and software products quality. The quick and centralized implementation of security practices enabled these improvements.