At Thoughtstar fixing security vulnerabilities was a slow process and was always someone else’s problem. Creating automated testing tools and remediation plans was just too hard. Thoughtstar infrastructure and applications needed an upgrade. Thoughtstar had to transition to DevSecOps or fall behind.
For a large company like Thoughtstar transforming to a DevSecOps environment was never going to be easy; it was important to start with a low-risk product. They needed to do it well, quickly and securely.
Using PWSLab security is embedded into the development workflow, developers can get feedback on the security of their code as they are working, they can remediate in real time, and free up the security team’s time to focus on monitoring issues, assessing risk, and solving vulnerabilities that can’t be fixed by the developer. By continuously testing even small, incremental code changes, an avalanche of work is avoided at the end of the SDLC.
Using PWSLab, every merge request is automatically tested using static application security testing (SAST), dynamic application security testing (DAST), dependency scanning, container scanning and license management. Vulnerabilities can be efficiently captured as a by-product of software development.
PWSLab is capable of being integrated via API with Vulnerability Scanning Tools like SonarQube for infrastructure and web application scanning. The real-time correlation of active threats against identified vulnerabilities helped identify the following:
- What assets are subject to known exploits
- Any new threats that may pose an immediate risk to the business
- They began by adding security into organizational language and culture and by changing their internal security ethos. But for real success, Thoughtstar engaged stakeholders, added security skills to developers, and business skills to security pros – which all worked towards building and increasing trust.
- Thoughtstar also added pen-testing into their DevOps process so developers could quickly fix security vulnerabilities and produce clean, secure code. They educated and empowered their team, focused on security engineering, business risk assessments and threat modelling, and they built static application security testing into their pipeline, which made a huge difference in roll-out speed.
- Since launching DevSecOps, Thoughtstar vulnerability remediation times are down and the team is moving forward with implementing DevSecOps across the organization.
- The benefits PWSLab DevSecOps brings to companies that embrace it are numerous, including cost reduction, speed of delivery, speed of recovery, compliance at scale, and threat hunting. The cumulative effect of these benefits is an enhanced business reputation for Thoughtstar and a smoother business model. Thoughtstar successfully removed the barriers between DevOps and Security helping them to work as one towards the enterprise business goals without friction.