Case Study Highlights
- Enabling developers to resolve security issues early on
- Automating vulnerability scanning within code pull requests
- Implementing DevSecOps without slowing down development
- Gaining enterprise-level visibility into source code and infrastructure as code
- Giving company executives valuable insights into applications security
The Challenge: Enterprise-level visibility into application security
As digital health experiences and data-driven insights are key to Rally Health’s business, they needed to prioritize application security and quality assurance for their software products. While Rally Health already had many security tools in place, these weren’t visible on an enterprise-level and didn’t provide the insights its business leaders needed. The company needed a simple approach for comprehensive application security that their engineers would be willing to adopt.
“No matter whether you’re a small organization starting your journey towards adopting DevSecOps practices or a large organisation with existing programs in place to address application security,” explained DJ Schleen, Senior Manager of Application Security at Rally Health, “one of the things that’s critical is having visibility into your applications, your source code, and the languages that your engineering team uses to develop software.”
The Solution: Solving security problems with engineering effort
Using Snyk, the application security team at Rally Health was able to integrate security seamlessly into engineering workflows. Snyk can natively scan the engineering team’s Git repositories to detect vulnerabilities in both their application source code and infrastructure as code (IaC). By analyzing and validating their code during a pull request, engineers can catch issues early on in their build pipelines to quickly and efficiently action remediation efforts themselves.
“Security is really addressed best when it happens before a merge or commit,” Schleen explained, “so when a developer is committing code and creating a pull request to have their changes merge into the main branch, the security scanning and verification should be happening in that step before the code even gets into the main branch of the repository.”
Application security without slowing down development
With Snyk, Rally Health was able to take an engineering-centric approach to security without slowing down development. The platform’s automated tools can detect security vulnerabilities before code gets merged, so that Rally Health’s IT teams know that, by the time the application gets to staging or production environments, its security has already been validated.
“We wanted to make sure that all the applications flow out to production as fast as possible and with as much security baked in as we could,” Schleen said, “We didn’t want to interrupt the value that’s being delivered to our customers.”
By gaining an understanding of how their engineers work, Rally Health was able to implement security processes and policies that have minimal interruptions to developers. Snyk integrates into their automated CI/CD pipeline and helps prioritize vulnerabilities to accelerate remediation. That way, Rally Health could improve the quality of its software without delaying the time-to-market for innovative features their customers want.
The Impact: Scalable and transparent DevSecOps
The key to Rally Health’s approach to DevSecOps is enabling engineers to detect and remediate security issues themselves. By using a simple solution that integrates with their source code management (SCM) tools, engineers can now take ownership of application security throughout the development cycle. This has allowed Rally Health to scale their DevSecOps approach across numerous code repositories.
The security-related data that Snyk aggregates also gives business leaders, compliance teams, auditors, and other stakeholders visibility into application security. Leaders throughout the enterprise can understand how many vulnerabilities there are, whether issues are trending down, and other KPIs in real-time to make informed business decisions.
“Things we’re doing with some of this data coming out of these systems is getting information to our executives just as fast as we’d expect it to our developers,” stated Schleen. “We’re shifting everywhere, so we can make business decisions on applications security quicker rather than at a delayed rate.”
Since undergoing their DevSecOps transformation, Rally Health can now tie the information they’re gathering to specific security policies and have irrefutable proof that they’re scanning for potential violations. This audit trail is critical for maintaining their compliance with healthcare industry regulations and data privacy laws such as HIPAA and SOC 2 as well.
“The entire idea summarized into one line would be to catch the fish before it reaches the ocean,” Schleen concluded, “We want to catch security defects as far left as we can, similar to how in DevOps we’re catching bugs and issues as far left as we can. This is the true essence of DevSecOps and this is what we’re looking for.”