The Operating Environment:
Inspectiv, a cloud-native technology company, utilizes Kubernetes-native infrastructure deployed on AWS. Its microservices architecture blends custom code elements with open-source components.
- Abundance of Non-Relevant App Vulnerabilities: The Inspectiv team needed an efficient and non-manual method to validate which vulnerabilities were exploitable and posed immediate risk. While many findings were potentially exploitable, only a subset of these vulnerabilities manifested in code and software packages that were loaded and accessible to unauthorized users. Their security testing setup lacked any runtime analysis capabilities and heavily depended on manual validation.
- Inefficient Use of Development Resources: Despite implementing previous solutions within the dev environment, the security team had limited capability to assess immediate risks, guide prioritization, and communicate effectively with developers.
- Limited Application Security Control: The existing solutions were not designed for Kubernetes and microservices-based applications, leading to limited visibility and manual security control for the security team. Without a clear view of the application's current structure, risk score, and most critical vulnerabilities that update with every commit, manual review was required.
The Solution: Oxeye
Inspectiv implemented Oxeye’s Application Security platform. Within a couple of minutes of deployment, Oxeye mapped the applications and provided a shortlist of the most critical custom code and open-source vulnerabilities - those loaded in memory and accessible from the internet. Oxeye also provided a continuous SBOM, detailing all services, packages, versions, authors, etc. Its integration with Jira and Slack streamlined the developer integration process and automatically supplied developers with vulnerability information and remediation guidelines, while its policy engine allowed the creation of customized reporting policies to suit Inspectiv's needs.
Inspectiv’s development team can now focus on rapidly developing their application while maintaining a high standard of security. Simultaneously, the security team can effectively assess and control application risk at any given time.