One of America's leading home security companies wanted to review its DevSecOps pipeline to remediate potential security issues. Modus Create’s team of security and DevSecOps experts executed a strategy for shifting left, i.e. incorporating security earlier in the SDLC, using GitHub Advanced Security. The engagement reduced the risk of cyberattacks and minimized the frequency of costly hotfixes and re-releases.
Our Work Involved
- License Management
- Onboarding Assistance
- Defining the Triage Process
- Enabling GHAS Features
- Adding CodeQL Files to Existing Repositories
- Branch and Pull Request Configuration
Impact
- Reduced Risk from Cyberattacks
- Reduction in Hotfixes and Re-releases
- License Discounts on GitHub Subscriptions
- New Security Capabilities — SAST, Secrets Scanning, and Dependency Scans
2 GitHub Organizations Reviewed
70 Engineers Onboarded
Our client — a leading home security company, protects the homes of over one million Americans. It’s only fitting that they have a proactive approach towards their IT security.
Modus Create had earlier performed a security assessment for the firm, which strengthened their overall security posture and resulted in cost savings of $4,000 a day.
Now, the client wanted to review its DevSecOps pipeline, identify gaps, and take steps to remediate potential security issues. It wished to reduce the time spent on costly re-releases, while minimizing the threat of cyberattacks due to poor code quality.
Modus Create’s team of security and DevSecOps experts joined the client team to conceive and implement the best approach to incorporate security earlier in the development process.
Why GitHub Advanced Security?
After a thorough DevOps assessment and reviewing several options, our team recommended securing CI/CD pipelines with GitHub Advanced Security because:
- The client’s engineering teams were heavily invested in GitHub Enterprise and had been actively migrating projects into it.
- The client was building out existing CI/CD pipelines using GitHub Actions, so many of their team members were already familiar with using GitHub to drive DevOps processes.
- GHAS provides a best-in-class feature set for injecting security into the CI/CD process, with features such as secret scanning and SAST scans across repositories and dependency scans that can identify vulnerable packages.
The Process
Two cybersecurity experts from Modus Create joined the client's team to expand their adoption of GitHub and GitHub Actions for CI/CD processes, and also to couple pipelines and code repositories with GitHub Advanced Security (GHAS).
We worked closely with GitHub’s sales associate to support the client's subscription. With licenses purchased, it was time to focus on the implementation.
In just a few weeks, the team completed the entire process of enabling GHAS — determining the ideal team structure for license management, planning the rollout & onboarding, defining the triage process, adding configuration to repositories, and branch & pull request configuration.
Impact of the Engagement
The client acquired several new security capabilities as a result of embracing GHAS — Secrets scanning across repositories by default, Static Analysis Security Testing (SAST) scans across repositories for the key language, and Dependency scans that identify vulnerable and out-of-date packages. These new capabilities strengthened the client's DevSecOps culture and helped secure its CI/CD pipelines. With improved visibility, our client can now minimize costly hotfixes by remediating security issues earlier in the process. They are also in a better position to prevent exploitation from bad actors.
Vital Stats
GitHub Organizations Reviewed
Discount Secured on GitHub Subscriptions
Engineers Onboarded
If you plan to roll out GitHub Advanced Security and modernize your DevSecOps process, reach out to Modus Create to see how we can help. Check out this blog for a detailed overview of enabling GitHub Advanced Security.