The client is a leading provider of risk, compliance management and analytical solutions for the financial services industry. They have more than a decade of experience in solving complex risk and compliance issues in major banks and financial services organisations across the world.
Our security team was asked to help implement DevSecOps into the client's pipeline. After running the vulnerability scan tools, the results were automatically collected by Orchestron and correlated.
To the alarm of developers at the client organization, we discovered over 700 unique vulnerabilities in their application systems. It would be very difficult and time-consuming to individually remediate each and every one of them. If they decided to go ahead, it would cause a total logjam in their DevOps pipeline until they cleared out enough vulnerabilities to resume development.
Instead, the client asked the Orchestron team to create a list of the highest-priority vulnerabilities so they could focus on fixing those first.
700+ discovered vulnerabilities
Over 300 unused libraries
80% of vulnerabilities from libraries
What the client wasn’t aware of at the time was a key flaw in their development methodology. Any libraries they imported to their platform would remain in the application, regardless of whether it was in use or not. Unused libraries never got deleted.
Over the years, they’d accumulated nearly 300 libraries in their application, the majority of which they weren’t even using. In fact, the libraries weren’t connected to any part of the application, but remained in the system as dead weight.
The 700+ vulnerabilities Orchestron was throwing up were largely from these unused libraries. Over 80% of them, to be exact.
With the help of data from Orchestron, our security team was able to pinpoint every redundant library in the platform. This allowed the client's developers to systematically purge them.
They performed two rounds of ’spring-cleaning’. After the first round, the number of vulnerabilities decreased by a staggering 85%. By the time we were done, our Orchestron dashboard showed fewer than 20 vulnerabilities.
Orchestron didn’t just help us discover and correlate vulnerabilities in the client’s applications. It helped us uncover a fundamental flaw in their development methodology, something they would never otherwise have known about. Over the course of our engagement with them, the client saw a staggering drop in the number of vulnerabilities: from over 700 to less than 20. That’s a reduction of over 97%!
700 → 20 correlated vulnerabilities
97% fewer vulnerabilities
7 hours saved each week
The client continues to use Orchestron to maintain their DevSecOps pipeline. We regularly monitor their libraries to help them remove ones that aren’t being used, and quickly resolve vulnerabilities when they come up.