Sage Deploys Oligo to Cut Vulnerability Backlogs 90% In <1 Hour

The Challenge

Generating Runtime Insights to Prioritize Vulnerability Fixes

At a highly matrixed organization like Sage, application security is a mature program with many
existing security controls.


After four years working as a Senior Application Security Specialist with Sage’s 16 other dedicated AppSec practitioners, Javan Rasokat could see that dependency scan findings were multiplying faster than engineering teams could direct resources to fix them.

“Now that we had all these findings, we needed runtime context and insights to help us find the vulnerabilities that can actually affect us.”

While Dependabot gave Sage a large number of findings in their code base, it couldn’t tell them which vulnerable libraries were even loaded at runtime — much less whether a specific vulnerable function had been executed. This created significant challenges when new vulnerabilities (CVEs) were disclosed, causing alerts without an easy way to determine whether it could represent a real pathway for attackers.


To fight the backlogs (and give engineering and security teams more breathing room), Javan
began searching for a tool that could help him understand whether vulnerability findings
represented real security risks. Because Sage depended on ArmorCode to deliver vulnerability
results from many scanning tools into a single interface, it was critical for any new tool to deliver
results that could be ingested easily by Armorcode to enrich the findings from other tools,
including GitHub Advanced Security.

Mission

Sage exists to knock down barriers so everyone can thrive, starting with the millions of small and mid-sized businesses served by Sage, its partners, and its accountants.

The Oligo Solution

When Javan first heard about Oligo, he was already looking at several Runtime Application Security Protection (RASP) solutions to add runtime context, but quickly realized Oligo’s solution was something altogether different — and better.

“Oligo is very unique in its approach” Javan explained.

“The solution is a new concept, and I think it’s going to change the AppSec market in terms of how we work with applications and services after deployment. Before, we had static dependency analysis in source code. Oligo can show us what dependencies are actually vulnerable in production. And most times the runtime environment looks different from what we scanned in the source code repository.”

Deploying Oligo was simple and fast. “I got the installation scripts – just one YAML file and a readme — and I shared it with our product engineering team. They deployed it within one hour, adding the configuration to their Kubernetes environment without needing any additional support from me or Oligo.”

Javan said results started coming in fast. “One hour after starting the deployment, we already saw the first metrics in the Oligo dashboard, no big effort required.”


Having an ultra-fast deployment time made it easy for Javan and his colleagues to see immediate feedback on their other tools’ results and see the enriched information in the vulnerability management interface they already used.

Results & Benefits

With Oligo up and running, Javan’s team was able to use the Oligo API to enrich existing security findings from other tools.

“In that first rollout, we were able to reduce the number of findings by nearly 90 percent by proving only 10 percent were loaded and executed, so only that 10 percent was exploitable.”

After reducing backlogs rapidly, one of Javan’s biggest goals for Oligo was to save developers time, and he said they’ve definitely achieved what they set out to do: “I didn’t tell the engineering teams that they had to keep it deployed,” he said. “They don’t want to turn it off! They like it. It works so smoothly.”

Javan attributed the developers’ opinion of Oligo to its unique technical capabilities — including its ability to show real data to prove whether libraries and functions are executed at runtime, so they can be confident that non-exploitable findings aren’t relevant to their project’s security.

“This has changed how we work on dependency findings. By saving 90 percent of the work, it means the developers have time to work on other, more important stuff.”

For Sage, implementing runtime controls was one of the AppSec team’s priorities in order to establish security across the entire software development life cycle (SDLC). “Oligo is part of a change in our field where we don’t just look at static code, we now focus on the last step in the SDLC,” Javan said. “There aren’t really a lot of security controls that fit into that space.”