Financial Services Organization Secures Money Management Platform with Oligo
Goals
- Align security findings to tangible risk
- Shorten the time it takes to find, prioritize and fix vulnerabilities
- Reduce friction between security and development teams
The Oligo Difference
- 98% reduction in time it takes to analyze and triage a vulnerability, down from approximately 2 hours to 1-2 minutes
- Better alignment between security and development teams
- Improved protection against both known and unknown vulnerabilities
Goal: Drive Efficiency for Security and Engineering
For a leading financial services company, the security organization aims to support the full product life cycle from initial idea to production. The company’s head of product security, a Senior Staff Security Engineer, structures the program to best align security and engineering needs, while allowing both departments to operate with velocity and precision. This means implementing robust security controls and protections in a way that empowers engineering to deliver cutting-edge features.
The company notes that a core challenge in maintaining this balance is ensuring that security and development teams have aligned incentives and understand how to work best together. In the past, they have seen security teams that find vulnerabilities and tell developers to fix them, without context on why those fixes should be prioritized. This creates a level of friction between the two departments that is difficult to calm, as security is giving orders rather than functioning as a partner.
Another aspect that they wanted to improve was the speed at which the team could find, prioritize and fix vulnerabilities. Traditional AppSec tools rely heavily on manual work, with teams often spending hours analyzing just a single dependency to verify a potential exploitation path. To cut this down, the company knew they had to adopt a solution that would drive efficiency in finding, prioritizing and fixing vulnerabilities.
The leading financial services organization needed a solution that could:
-Tie security findings to business risk by prioritizing vulnerabilities that are actually exploitable within applications.
-Significantly reduce the noise that comes with traditional AppSec tools to make security efforts more efficient and precise.
The Challenge
The Oligo Solution
To achieve these goals, the company deployed the Oligo platform. Oligo was chosen due to its ability to provide end-to-end application visibility through real-time monitoring and context-aware analysis to detect vulnerabilities in use, and prioritize fixes based on actual runtime usage.
In addition, Oligo’s deep insight into running applications enables its solution to identify and neutralize active exploits as they occur, providing organizations with defensive capabilities against both known and unknown vulnerabilities. As a result, security and development teams can focus exclusively on the vulnerabilities that matter, with the assurance that unpatched or unknown attack vectors have mitigating controls in place.
Speed and Visibility
Previously, AppSec at the company required an intense amount of manual labor. For example, prior to implementing Oligo, the security team was trying to prioritize vulnerabilities with traditional static SCA tools. It took them approximately 2 hours to analyze one dependency, which was not feasible. The team then moved towards EPSS as another prioritization factor. This provided a reasonable, initial pathway through the noise but still missed the key factor of reachability.
Because Oligo provides visibility into vulnerable dependencies that are actually used in production, their team was able to bring analysis time for each vulnerability down from 2 hours to only 1-2 minutes to analyze and triage a vulnerability.
Results & Benefits
The product security team has seen significant benefits across both the security and engineering organizations since placing the Oligo platform at the core of its product security program.
Alignment of Vulnerabilities to Real Risk
Oligo’s platform has fostered better collaboration and partnership between security and engineering teams, as Oligo makes it seamless to deliver trusted results to developers. Rather than simply flagging problems, the security organization can now show why a specific issue needs to be fixed, based on evidence of a library’s runtime execution.
“Previously, more than half of our SCA findings were going out of SLA, and with Oligo, we’re down to a very small percentage . It’s an incredible testament to showcase that engineering really does care about vulnerabilities, as long as they know the problem is tied to real risk.” - Senior Staff Security Engineer, Financial Services Organization
Zero-Day Response
Another aspect that has been critical for the company is Oligo’s unique ability to identify and respond against zero-day vulnerabilities. Previously, when a zero day was announced, they had to manually find impacted dependencies, figure out which ones were actually exploitable, and prioritize accordingly.
With Oligo, the security team can simply look up the vulnerability within their environment, show proof of exploitability for certain dependencies, and orchestrate remediation efforts. The removal of the manual processes required for prioritization has enabled the company to apply focus to urgent problems. On top of this, Oligo’s Application Detection and Response (ADR) capabilities allow the security team to continuously profile the behavior of application components to detect anomalies and respond to malicious actions, protecting the environment from vulnerabilities lacking a CVE identifier.
“Oligo has given us peace of mind, allowing us to shift the internal security focus away from open-source software. If something does go wrong, we know that Oligo is going to catch the anomalous behavior and alert us to respond promptly.” - Senior Staff Security Engineer, Financial Services Organization
Ultrafast Deployment
According to the organization, the Oligo deployment process was seamless and easy, leading to immediate value. Oligo was rolled out, and they achieved full coverage in its lower environment in a day, then moved it up to production after some testing.
Engineering Efficiency, Cost Savings, and Smaller Attack Surface
Beyond the improved security posture, the benefits of Oligo even extend to driving cost savings for engineering. Due to Oligo’s ability to see which libraries are used in applications in production, the company was able to identify opportunities to remove unused libraries, leading to reduced artifact storage costs, transfer costs, and build time. This can significantly drive down the operational cost per pull request as the organization continues to scale and minimize the organization’s overall attack surface.
“What’s great about Oligo is that all of our expectations have been not just met, but blown out of the water when it comes to identifying what’s exploitable and executed in our environment.” - Senior Staff Security Engineer, Financial Services Organization
Why Oligo?
Built to Defend Modern & Legacy apps
Oligo deploys in minutes for modern cloud apps built on K8s or older apps hosted on-prem.