Case Study
How Juniper Commerce Grew During the Pandemic by Building a Culture of DevSecOps
Case Study SUMMARY OF OUTCOMES
Juniper Commerce needed an application security tool that would reduce false positives and automate testing so the development team could scale in size, release multiple apps multiple times a day, and quickly bring a secure product to market.
● With Qwiet preZero, the team now automatically scans 100% of their pipeline runs for code and dependency vulnerabilities
● With Qwiet preZero, the team saved eight sprints worth of developer time upgrading open-source packages for security issues
● Relying on Qwiet preZero, the development team scaled as the company grew 10x without needing a dedicated cybersecurity engineer
● All applications monitored by Qwiet preZero were confirmed to be secure by a third-party, DAST-enabled audit
Customers Background
Juniper Commerce is a wholly-owned subsidiary of International Market Centers (IMC) formed in January 2020 to focus on digital innovation. The parent company, IMC, matches wholesalers with retailers in the furniture, gift, and apparel markets. IMC owns and operates 20 million square feet of showroom space in Atlanta, Las Vegas, and Highpoint, North Carolina. In a typical year, 250,000 buyers would visit these showrooms in person to meet with reps and purchase inventory. When COVID hit in early 2020, all of this activity was impacted. The mission for Juniper Commerce was to reconnect these buyers and sellers and enable them to purchase wherever they want, whether online, on the road, or back at the physical markets once commerce returned to normal. The new circumstances required remote purchasing, but personal relationships between buyers and sellers were still integral to the business. Buyers needed to connect with the reps they had grown to trust, and Sellers needed to be credited for the work they did helping customers curate the right brands for their businesses. Both parties were users of the platform and all of the elements of physical, in-person relationships had to be encapsulated in the experience.
Establishing Culture Under Pressure
Jason McCain joined Juniper Commerce as Head of Infrastructure and DevOps in March 2020, just as the lockdown started. It was his responsibility to create the foundation that would allow developers to build the digital platform that would restart IMC’s business. He was drawn to the company by their CTO, Max Fraser, whose focus on fit and culture matched his own values. “Max is a developer. He understands the work and knows what the pressure can feel like,” says Jason. Early on, the engineering team focused on the people, processes, and tools that would drive development. “From the beginning, we wanted to get our client success teams and our developers involved,” says Jason. “To be successful we couldn’t have people saying ‘the leak is on your side of the boat, it’s your problem.’ Everybody needed to recognize we were all in the same boat.” Building team spirit required particular effort when it came to security. About 30% of Jason’s day-to-day work involves handling application, infrastructure, and information security. But the effort carries baggage with some parts of the team. “Security management tends to be maligned by developers and DevOps,” says Jason. “There are lots of unfunded edicts that come out of Security.”
The decision to go with Qwiet AI was really about cutting down false positives. If I want to turn a security finding into a conversation with the developer, I can’t have 6,000 of those a month.”
JASON MCCAIN, HEAD OF INFRASTRUCTURE & DEVOPS
Jason wanted to democratize security decisions so that the entire team would buy into the value of securing the application. He thinks it is important to give developers a voice so that learning and decision-making can go both ways. “Very rarely do developers get a chance to say, ‘oh that’s a false positive, let me walk you through how it works’,” says Jason.
This dynamic not only frustrates developers, but it keeps security managers from understanding what the developers are actually building. The manager may understand the basics of AppSec, like OWASP Top Ten lists, but they don’t always understand the structure of the application they are defending.
According to Jason, building this kind of culture imposes certain requirements on tooling. “The decision to go with Qwiet AI was really about cutting down false positives. It is important to discuss security findings with the devs if you want them engaged and fixing quickly but I can’t have thousands of these conversations a month.
The Path to Fewer False Positives and Better Collaboration
After performing their first security audit, the team realized they were lacking visibility in AppSec. Despite having security tools in place that generated more alerts than the development team could address, they still needed better awareness of open source code being used by the developers and were advised to add software composition analysis (SCA) and upgrade their static application security testing (SAST) tool.
Two goals were important to Jason when looking at new solutions. The first was to reduce false positives so he could build a culture of inclusion between developers and security. The second was to automate fast, repeatable scans that would fit into the cloud-native development process Juniper Commerce was creating.
To choose the right platform, they worked down to a shortlist of vendors and ran a bake-off against their current tooling using a legacy repo that they knew had vulnerabilities.
It blew my mind. There was a huge difference in the number of findings we were seeing in Qwiet AI. When I looked at it closely, I realized it was focused on attacker reachable vulnerabilities.”
JASON MCCAIN, HEAD OF INFRASTRUCTURE & DEVOPS
It did not take long for Qwiet AI to stand out from the competition. “The thing that jumped out at me the most was seeing attacker reachability,” says Jason. The team had a baseline of what to expect from their current tool. They knew what it would find and how it would present results. When they scanned the repo their current tool returned.
around 800 critical issues, and the competitor returned around 700 critical issues. Qwiet AI detected as many issues as the other tools but prioritized less than 40 as critical. “It blew my mind. There was a huge difference in the number of critical findings we were seeing in Qwiet AI. When I looked at it closely, I realized it was focused on attacker reachable vulnerabilities.”
Unique to Qwiet preZero is the ability to see if both open-source CVEs and custom code vulnerabilities are attackable. The term “attackable” is short for “attacker reachable,” meaning there is evidence of a dataflow that proves an outside attacker can find and reach the vulnerability in order to exploit it. To create this evidence, Qwiet AI traces the path of data as it “flows” through your application. It tracks where data enters the application, called “sources,” and where the application uses the data, called “sinks,” to understand whether parts of the code could become security issues.
Jason and his team vetted the results from the other tools to understand the difference in quality. “Some of them really took us down rabbit holes,” says Jason. In the competing tool, the top critical vulnerability turned out to be in an unused package that was included in a nested project. “When we finally realized what it was pointing us to, we could see it was not reachable in our code whatsoever. All I could think was ‘how much of a developer’s time would that have wasted?’”
Automation as a Guiding Principle
The other test for Qwiet AI was whether it would fit in with Jason’s plans for the CI/CD pipeline. When he joined Juniper Commerce, he decided to focus on improving automation. The company already had generic pipelines set up but he wanted to leverage the 90 years of experience across his team to make them even better. “I sat down with my team and did product discovery on our pipelines,” says Jason. “We listed the things we wanted and the things we would avoid. Our key goal was that our processes would not be an impediment to the development teams or the business interests of customers.”
From the moment a developer checks in a feature branch, I want to know if there is a security issue. Today, we are doing about 70 pipeline runs per day, and every single one of them is scanned by Qwiet AI.
JASON MCCAIN, HEAD OF INFRASTRUCTURE & DEVOPS
This thinking led the team to conclude that security must be part of the pipeline templates. It was in the interest of their customers and it was something they would inevitably deal with, so it had to be part of the automation. “We just decided that security was going to be the default, there’s no escaping it,” says Jason.
Qwiet AI’s CI/CD integration and fast scan times provided the performance Jason required. “From the moment a developer checks in a feature branch, I want to know if there is a security issue. Today, we are doing about 70 pipeline runs per day, and every single one of them is scanned by Qwiet AI.”
Democratizing Security
While DevSecOps is greatly enabled by automation, it does not mean it is a “set it and forget it” process. The low false positives and automated pipeline foster the culture Jason was looking for but, as he knew from the beginning, he has to play an active role to maintain it. Developers still come to him with large projects they feel are ready for deployment only to find there are critical vulnerabilities that they need to go back and fix. Despite an occasional back and forth with the developers, Jason’s team has been able to hold the line. “As long as there’s no ‘out’ and we emphasize the policy is here to stay, people come around and fix the issues,” says Jason.
Because the process is built around Jason’s intent to democratize security, it is far from contentious. “Some of the best security conversations I’ve ever had in any company come from sitting down with a developer who wants to review a critical issue with me,” says Jason. “My team takes that as an opportunity for a conversation and we sit down with the Dev and ask them to take us through the functionality they are building step by step.”
This process fosters two-way information sharing regardless of the result. Sometimes the developer comes around and sees that the issue is legitimate. Sometimes Jason’s team comes to understand what the developer is doing and realizes that, based on how the code handles the data, the issue is harmless and can be ignored. While the conversation is always driven by managers with good intent, it is facilitated by the tool. “Qwiet AI definitely points us in the right place,” says Jason. “We typically use the repo links and just start going through the code. But when there’s contention over a tricky issue, we take a closer look at the dataflow and point to that.”
Qwiet AI as a Partner for DevSecOps
Qwiet AI didn’t slow us down, and gave us the level of competence we needed without turning code security into a part-time job.
JASON MCCAIN, HEAD OF INFRASTRUCTURE & DEVOPS
Qwiet AI turned out to be the tool Jason’s team needed to release secure code at scale in a dynamic environment. Juniper Commerce has grown dramatically since the beginning of the pandemic. Jason was employee number 30 and today the company numbers 275 people with more growth ahead. The development team was expected to reach 50 engineers but numbers around 75, filling out 12 teams. “We were moving too fast, growing too quickly to dedicate a person or two to just reviewing the validity of findings,” says Jason. “Qwiet AI didn’t slow us down, and gave us the level of competence we needed without turning code security into a part-time job.”
The large reduction in false positives that came from using Qwiet preZero turned into huge efficiency gains for the team. For open-source vulnerabilities alone, the team avoided around 8 sprints worth of remediation time over the course of the year. Of the hundreds of open-source packages that contained CVEs and would require a manual upgrade, only a small fraction of around 3% were shown by Qwiet preZero to be reachable by attackers. The rest were secure in the context of the application’s architecture. For example, this would include packages that accepted developer-controlled inputs and therefore could not be exploited from external inputs.
The third-party pen test, using DAST, confirmed Qwiet AI’s assertion that there were no issues in the apps it monitored. That really raised our confidence in the tool.
Qwiet AI was a steady partner throughout this time. “Some of the folks at Qwiet AI are legitimately the smartest people I’ve interacted with,” says Jason. “Any time we run into an issue we have a huge level of confidence that it’s going to be figured out.” In fact, Jason only recently hired his first cybersecurity engineer, a year after onboarding Qwiet AI. “We had oversight, tasks, and tools in place, and that consistency was how we got where we are today,” says Jason. “For full validation, we recently had an external audit of the new software development platform that we’re building. The third-party pen test, using DAST, confirmed Qwiet AI’s assertion that there were no issues in the apps it monitored. That really raised our confidence in the tool.”
Despite all of this success, Jason is looking to improve the DevSecOps culture even further. “I’ve seen Devs who are proud that they have 85% line coverage on their unit tests, there are no warnings in their code, and everything compiles immaculately with only six bugs, and they are proud of it. But I want security to be right there as well, with that same pride of ownership. That’s the kind of culture we’re driving for.”
About
Qwiet AI
Qwiet ai empowers developers and appsec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk, industry-leading accuracy allows developers to focus on security fixes THAT MATTER AND IMPROVE CODE Velocity WHILE ENABLING APPSEC Engineers to shift security left. a unified code security platform, qwiet prezero scans for attack context across apis , OSS, INTERNAL MICROSERVICES, AND FIRST-PARTY BUSINESS LOGIC BY COMBINING RESULTS OF THE COMPANY’S NEXTGEN STATIC ANALYSIS (NG SAST) and intelligent software composition analysis (sca). using its unique graph databasis that combines code attributes and analyzes acrual attack paths based on real application archeticture, qwiet ai then provides detailed guidance on risk remediation within existing development workflows and tooling.