The client is a leading provider of risk, compliance management and analytical solutions for the financial services industry. They have more than a decade of experience in solving complex risk and compliance issues in major banks and financial services organisations across the world.
They reached out to the Orchestron team to help them build applications that were secure from the ground up. The client’s development team were building their applications primarily in Java, while our team was using Find Security Bugs, a tool natively integrated with Orchestron.
The first thing our security team did was to run a complete SAST scan on the source code for all the applications.
After our initial round of scans, we correlated the vulnerability data in Orchestron. The client’s applications were riddled with over 150 source code bugs.
Under ordinary circumstances, a development team of their size would typically spend 8 hours everyday fixing SAST vulnerabilities, which would severely slow down pace of development and delay new releases by days, if not weeks.
150 source code bugs found
8 man-hours fixing bugs everyday
7 unique metadata categories
Although Orchestron provides 7 different types of metadata—each of which are crucial in resolving security flaws—the one most commonly used to resolve source code vulnerabilities are our Good Code/Bad Code suggestions. After running the SAST scans, Orchestron automatically correlated the scan results from FindSecBugs and presented a detailed report to the client.
Utilising the numerous Good Code/Bad Code samples provided by Orchestron, the client’s development team began systematically fixing their source code flaws. A particular observation we made at this point was that if the client’s code base had even a 30-40% resemblance to the Good Code/Bad Code suggestions, they would save between 2-3 hours almost everyday. This represented a staggering 30% decrease in the amount of time they spent resolving SAST vulnerabilities.
The client’s development team used the insights provided by Orchestron to reduce the number of source code bugs from over 150 to under 30, a sharp reduction by over 80%. Each developer were saving upwards of 14 hours fixing SAST vulnerabilities every week.
This wasn’t just a plus for their development schedule — it also meant their apps were entering the deployment stage in a more secure state than was previously possible.
150 → 30 source code bugs
80% reduction in SAST vulnerabilities
14 hours saved per developer every week
The client continues to use Orchestron to maintain their DevSecOps pipeline. Our security team assists them in SAST tool security automation, enabling them to resolve issues much faster with Orchestron’s detailed metadata.