Our client is one of the largest insurance providers in Singapore. They offer financial solutions to customers through multi-channel distribution networks, and develop and maintain their own internal applications.
The client's DevOps pipeline consisted of more than 400 different applications. They were running SCA, SAST, DAST and Container scans on a daily basis. With 400+ applications in their pipeline, this amounted to well over 1600 unique scan results generated everyday.
Taken cumulatively, these apps were reporting huge numbers of vulnerabilities. The security team, which consisted of just 8 people, was overwhelmed by the sheer volume of data. One tool in particular, Micro Focus Fortify, had found 1322 vulnerabilities across all their apps. The security and development teams had begun to suspect that the tool itself was faulty.
Locating and resolving these many different vulnerabilities seemed impossible. We were called on to assist the client’s security team in handling the daily flow of tool scan results.
400+ applications being developed
1600 new scan results everyday
1300+ vulnerabilities found by one tool
Our client’s biggest hurdle in smoothly implementing DevSecOps came down to one simple fact: there were thousands of scan results getting generated, but none of it was being organised.
This is the point at which Orchestron was introduced. Our team connected their scan tools to Orchestron, which automatically aggregated the daily scan results and correlated them based on type, category and instance.
The difference was immediately apparent. In the case of results from the Fortify tool, which was reporting 1322 vulnerabilities, Orchestron had brought the number down to just 89. After some digging, it became clear that it wasn’t the fault of the scan tool — Fortify itself was working perfectly fine.
The problem lay in the fact that none of the results were being given context as part of the development environment. Instead, different instances of the same vulnerabilities were being reported individually. When taken across 400+ applications, the numbers became hugely inflated.
Without Orchestron correlating together similar vulnerabilities being repeated across the platform, this issue may never have come to light
After a thorough analysis of the client’s platform, we made a few recommendations:
Instead of resolving issues for every container individually, first secure container base images. It’s often the base images that are most vulnerable, and fixing those will result in most container vulnerabilities getting resolved.
After seeing multiple vulnerabilities repeated across applications, it became clear that they can be largely avoided by training developers. If they’re taught how to prevent common vulnerabilities from creeping in at the development phase, there will be far fewer issues to deal with later on.
After we ran our tests and made our discoveries, the client immediately set about making significant changes to their development pipelines. Using the data provided by Orchestron, they were able to reduce the number of unique vulnerabilities by as much 94%, making for faster and easier remediation for both their security and development teams.
Moreover, by avoiding vulnerabilities at the programming and implementation stages, their developers were regularly saving more than 25% of their time fixing vulnerabilities. This would amount to 7 hours saved per developer every single week. All of this meant they were able to create new builds faster and more efficiently.
94% reduction in vulnerabilities
25% time saved in remediation
7 hours saved per developer every week
Our client continues to rely on Orchestron for far more than just to aggregate and correlate scan results. Our technology lets them gain a deeper insight into the architecture of their development platform, the design of their applications, and the effectiveness of their delivery pipelines.