How to implement DevSecOps process with Maverix for startup company

OneForce Inc., headquartered in Bellevue, Washington, USA, is an intelligent software company specializing in knowledge work automation. It has operations around the globe. This startup created the next generation BrainCore cognitive technology that leverages deep learning and natural language processing algorithms. In the few years of its existence, OneForce Inc. developed two innovative products – SmartLeads and Viable. SmartLeads is a BrainCore-powered demand generation service that identifies the most relevant potential buyers and engages them via omnichannel outbound marketing campaigns. SmartLeads introduces the first-ever AI Robot for lead generation, Adelia, a breakthrough marketing automation solution that substantially boosts revenue. Viable is a BrainCore-powered recruitment service that manages the hiring process to identify the best-fit candidates and schedule interviews.

Customer’s software delivery organization has 40+ developers responsible for the rapid growth of business applications functionality covered by DevOps processes. The software engineering toolchain includes GitHub, Jenkins, and Jira.

OneForce Inc. is an IT company using cutting-edge technologies. By understanding the importance of application security, the customer pays special attention to it. However, as a startup, OneForce Inc. does not have enough expertise to define and implement a security strategy. The right approach in this situation is to find a company that could offer a comprehensive solution from initial consultation to implementation. Among other options, the company turned to Maverix Inc. to evaluate the existing solution.

Maverix Inc. advised the customer to choose a stable solution that takes full advantage of the combination of different Application Security Testing (AST) tools and the ASOC platform. The ASOC platform is the single window to manage DevSecOps processes. Maverix Inc. proposed the Maverix platform and several AST tools for practical implementation of the stable solution. The AST tools are Checkmarx for SAST, Netsparker for DAST, Sonatype Nexus IQ for open-source components control, Clair as an open-source tool for container security, and Aqua for cloud security since the customer deploys its digital products on Amazon Web Services.

Thus, Maverix provided to the customer an umbrella-type turnkey solution.

After successful solution evaluation with the trial version of the licenses, OneForce Inc. decided to implement the proposed approach. The customer was impressed with Maverix’s easy onboarding process, smooth integration with existing DevOps processes, and great support from the Maverix team. Most importantly, the proposed approach identified a sufficient number of security problems in the existing versions of the products during the first week of operations. The company management got meaningful DevSecOps metrics to understand the application security status of deployed digital products.

In a short time, the customer received an efficiently working and fully functional DevSecOps platform. It allowed the customer to identify existing application security issues and start to fix them systematically. OneForce Inc. incorporated application security practices into the software engineering cycle for each product. One of the senior software engineers took on the role of a security champion. The development team got all security defects in Jira and started to fix them following their priority. After several months the company fixed all critical and almost all high-priority security defects. The company management tracked progress using a set of metrics provided by Maverix.

Today, the security of the OneForce Inc. applications is scanned regularly. Security Technical Debt is getting smaller. The team has a clear understanding of DevSecOps processes.

The transition from DevOps to DevSecOps was quick and successful.