CASE STUDY | Industry ACCounting

Sage Deploys Oligo to Cut Vulnerability Backlogs 90% In <1 Hour

HQ Location
“To address our findings effectively, we needed runtime context and insights to help us identify the vulnerabilities that can actually affect us.”
Javan Rasokat
Senior Security Specialist

Sage exists to knock down barriers so everyone can thrive, starting with the millions of small and mid-sized businesses served by Sage, its partners, and its accountants.

The Challenge

Generating Runtime Insights to Prioritize Vulnerability Fixes

At a highly matrixed organization like Sage, application security is a mature program with many
existing security controls.

After four years working as a Senior Application Security Specialist with Sage’s 16 other dedicated AppSec practitioners, Javan Rasokat could see that dependency scan findings were multiplying faster than engineering teams could direct resources to fix them.

“Now that we had all these findings, we needed runtime context and insights to help us find the vulnerabilities that can actually affect us.”

While Dependabot gave Sage a large number of findings in their code base, it couldn’t tell them which vulnerable libraries were even loaded at runtime — much less whether a specific vulnerable function had been executed. This created significant challenges when new vulnerabilities (CVEs) were disclosed, causing alerts without an easy way to determine whether it could represent a real pathway for attackers.

To fight the backlogs (and give engineering and security teams more breathing room), Javan
began searching for a tool that could help him understand whether vulnerability findings
represented real security risks. Because Sage depended on ArmorCode to deliver vulnerability
results from many scanning tools into a single interface, it was critical for any new tool to deliver
results that could be ingested easily by Armorcode to enrich the findings from other tools,
including GitHub Advanced Security.

The Oligo Solution

When Javan first heard about Oligo, he was already looking at several Runtime Application Security Protection (RASP) solutions to add runtime context, but quickly realized Oligo’s solution was something altogether different — and better.

“Oligo is very unique in its approach” Javan explained.

“The solution is a new concept, and I think it’s going to change the AppSec market in terms of how we work with applications and services after deployment. Before, we had static dependency analysis in source code. Oligo can show us what dependencies are actually vulnerable in production. And most times the runtime environment looks different from what we scanned in the source code repository.”

Deploying Oligo was simple and fast. “I got the installation scripts – just one YAML file and a readme — and I shared it with our product engineering team. They deployed it within one hour, adding the configuration to their Kubernetes environment without needing any additional support from me or Oligo.”

Javan said results started coming in fast. “One hour after starting the deployment, we already saw the first metrics in the Oligo dashboard, no big effort required.”

Having an ultra-fast deployment time made it easy for Javan and his colleagues to see immediate feedback on their other tools’ results and see the enriched information in the vulnerability management interface they already used.

Results & Benefits

With Oligo up and running, Javan’s team was able to use the Oligo API to enrich existing security findings from other tools.

“In that first rollout, we were able to reduce the number of findings by nearly 90 percent by proving only 10 percent were loaded and executed, so only that 10 percent was exploitable.”

After reducing backlogs rapidly, one of Javan’s biggest goals for Oligo was to save developers time, and he said they’ve definitely achieved what they set out to do: “I didn’t tell the engineering teams that they had to keep it deployed,” he said. “They don’t want to turn it off! They like it. It works so smoothly.”

Javan attributed the developers’ opinion of Oligo to its unique technical capabilities — including its ability to show real data to prove whether libraries and functions are executed at runtime, so they can be confident that non-exploitable findings aren’t relevant to their project’s security.

“This has changed how we work on dependency findings. By saving 90 percent of the work, it means the developers have time to work on other, more important stuff.”

For Sage, implementing runtime controls was one of the AppSec team’s priorities in order to establish security across the entire software development life cycle (SDLC). “Oligo is part of a change in our field where we don’t just look at static code, we now focus on the last step in the SDLC,” Javan said. “There aren’t really a lot of security controls that fit into that space.”

Why Oligo?

According to Javan, Oligo’s feature set was unique among the tools Sage reviewed – and he saw “nearly limitless potential” for its deep library-level analysis to lead to additional features in the future.

“If I can detect what functions and capabilities a function has, see if it is accessing the network, accessing data on the file system, I can see if a dependency has gained new capabilities and has become a risk”

he said, adding that he’d already seen a “sneak peek” of these features. “I could also potentially see if a security issue develops from the supply chain.”

Oligo’s fundamentally new approach cemented Javan’s decision to use the platform. “My first opinion when I saw it is that it would be able to evolve and work well not just now, but in the future.”

“The possibilities of this platform challenge the limitations of other technology stacks and even different types of technology.”

For enterprises with mature AppSec programs, Javan said, finding new tools to provide coverage of security gaps can sometimes be difficult, because they don’t always work in other ecosystems. Oligo’s stack-agnostic ability to determine exploitability of results from any other tools on the market set it apart from the crowd.

With its fundamentally different approach and enterprise customers including Intel, Nationwide Insurance, and Cato Networks, word is spreading fast about Oligo. Javan said: “I actually originally found out about Oligo from a colleague in the same field on LinkedIn. People are already recommending Oligo to each other.”