Lemonade Case Study

Lemonade saves 10 hours of dev time with Arnica

Jonathan Jaffe
CISO
Git Permissions Management
Improved Developer Interaction

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

The Challenge

Secure Development Best Practices

When we were starting Lemonade’s application security program, we set out to understand best practices around secure development with code repository security and pipeline security as a fundamental component of that effort. When we were small, we provided developers with write-level access to all repos, as is typical in small companies. As we grew, we needed to move away from this approach. We had some automations in place that notified us of changes to certain privileges, but we were challenged by automating the regular and continuous management of appropriate privileges.  

Meeting Continuous Compliance Requirements

While building out our application security program, we were also being evaluated under Sarbanes-Oxley's (SOX) IT General Controls (ITGC) provision, which dictates the need for:  

  • Least privilege on code repositories  
  • Segregation of duties  
  • Sufficient controls to achieve security postures    
  • Regular monitoring and audit of those controls  

Implementing controls to achieve least privilege and segregation of duty is a labor-intensive effort on its own. But regular maintenance and auditing of the controls to ensure these measures is so cumbersome that no auditor realistically expected it to be done more than once per month – maybe quarterly or as infrequently as yearly.  

Developer Disruption from Security Tooling

Even after building a holistic and effective application security program and meeting all compliance requirements, the reality is that security controls which interfere with developer work or otherwise slow developer velocity are tough to adopt. Developers may be interested in security, but their first order of business is to develop product. Security tools which interfere with a developer’s primary goal of building great products are likely to be ignored or could start a developer revolt.  

The Solution

Automated Permissions Management

Implementing compliant permissions controls without a solution to automate these controls would have been tremendously burdensome, and ultimately we viewed the defined minimum controls as insufficient for our security standards. By contrast, Arnica was immediately able to effectively and continuously minimize developer privileges to what was needed in a way that mirrored the dynamic nature of developer access needs. By automatically monitoring and managing permissions to least-privilege Arnica solves an immediate problem that I have, and one that I imagine most CISOs are dealing with: complying with audits of permissions in an ongoing and effective way.  

Easy Permissions Auditing  

Sarbanes-Oxley dictates not only that least-privilege and segregation of duties be achieved, but that Lemonade be able to regularly produce audit reporting to demonstrate our controls. Arnica makes this possible, not yearly, quarterly, or monthly, and not through great effort... but continuously so that we can produce compliance reporting on-demand, easily.  

Developer Delight

Initially, we were concerned with the impact on development so we entrusted a few key and trusted developers at Lemonade to get them on board – we knew we needed their buy in. After our development partners evaluated Arnica we were able to rely on them as champions within their teams to promote Arnica for the same reason we brought it to them: it is the best, least disruptive approach to achieving least-privilege for developer permissions.  

Practically speaking, our Security team can now manage permissions in Arnica without requiring developers to do anything except request permissions through Slack when needed. This is not a barrier. Developers like this.  

This means that Arnica has a high likelihood of successful adoption compared to other tools like static analysis security testing (SAST) and dynamic analysis security testing (DAST), which introduce developer friction. If a tool interferes with the developers’ speed, the tool is unlikely to be used.

The Results

It wasn’t until I started using Arnica that I realized that it could eliminate almost all my effort toward ongoing permissions compliance and auditing – it is almost a panacea. Arnica not only helps us secure our development environment and the developers in it, but also reduces the security team’s workload while giving developers a non-disruptive way to self-manage permissions.  

Had we implemented regular permissions reviews without Arnica’s automated solution, we would have spent 50+ hours across various teams over the course of each year. But perhaps more impactful, we have dramatically reduced risk in our development ecosystem, because our best efforts to implement a manual review process could not come close to Arnica’s automated, holistic approach.  

Arnica solved a significant problem for me and my team. Without Arnica, the solution is primarily manual. Manual solutions bring the issues of manual work—inefficiency and error-proneness. With Arnica, excessive permissions are minimized with no effort. My team can use its time to secure us in other ways, and developers develop product without unnecessary impediments.

Recommended case studies

View all

Complete Genomics transformed its AppSec program by automating vulnerability management and compliance within FDA & HIPAA regulations.

Rigorously prioritized security findings across SAST, SCA, secrets, and more with full context for developers

Developer access requests are handled easily with Arnica's self-service chatops integration in Slack

Activate your pipelineless security in seconds

Book a demo
Get started