Liongard Case Study

Liongard decreased mean time to fix vulnerabilities by 62% in three months

Everett Odom
Director of Information Security
End-to-End AppSec
Developer Experience + Security Outcomes

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

Navigating Ineffective AppSec Vendor Options  

At Liongard, when we first set out to build an Application Security stack, we ran into a reality in which vendors were either focused on one or two aspects of AppSec – SAST or SCA or secrets, etc. – or were intent on billing for each additional scanner type. Because budgets are a reality for every security team, especially within a startup, we were forced to pick and choose what features we wanted to implement. If we wanted IaC, that was extra. If we wanted SAST, that was extra. SCA, extra. Ultimately, we were trying to do a job with an incomplete set of tools, just because of how the other vendors were building and packaging their products.

Complex Tool Implementation & Poor Developer Adoption

Liongard develops new source code every week and we have a monthly release cycle. In our product, we have “inspectors” – apps that connect with systems and services like email solutions, firewalls, user endpoints, etc. As we build new inspectors, we add a new repo specifically for that target system. And because we are constantly adding repositories, the SAST and SCA tools had to be reconfigured for that new repo, assigned to a project, and set permissions to groups. What this meant in practice was that we would spend large volumes of time on manually configuring our tools.

Beyond the added friction that this created in our development processes, we were asking developers to use yet another security tool as part of their suite, which did not go over well. We saw very low developer adoption of the SAST and SCA tools we had deployed as a result. We needed something simpler for developers to adopt – ideally, something they didn’t even need to manage. And we wanted to find a solution that wouldn’t require complex configuration changes with each new repository added.

Limited code visibility & control

We also need to ensure Liongard has the right tools and processes in place across information security, application security, cloud security, product security, and internal IT security. And that across the board, that our tools are adopted, leveraged effectively, and that we’re following best practices – that we’re not just checking boxes.

Before Arnica, as a matter of policy, the security team didn’t have access to source code. But we did need to be able to answer critical security questions like: What vulnerabilities exist? Do we have tickets open? Are we addressing them?

Our previous solution gave us just enough visibility to answer the first question but didn’t extend much further down our team’s workflow. This left us in an uncomfortable middle ground where we were making the appropriate access decision from a security standpoint, but that decision was restricting our access to make informed decisions for our application security strategy.

The Solution

Holistic Application Security (That Works!)

Arnica was a major improvement to our application security posture. Rather than having to pick which features we were going to implement, Arnica provides Liongard with everything we need from an AppSec scanning standpoint in one solution, out of the box. We were able to consolidate our SAST & SCA tools but also mature our AppSec program by adding in things like hardcoded secret scanning, reputation, and licensing. We went from essentially having two tools to a fully stocked AppSec toolbox.

Arnica clearly understands that AppSec is a holistic practice, not a set of a la carte features. The cohesiveness and completeness of the product and its developer and security workflows reflect that.

Simplified Implementation & Immediate Time-to-Value  

When we integrated our repository instance with Arnica, which took a matter of minutes, this was essentially the full extent of effort to get deployed (beyond tweaking policies to our liking). From that point on, we no longer worried whether the next new repo was going to be covered by our security scanners. Now, we don’t worry that one of our teams may have created a new repo, and the Eng teams aren’t concerned about if they told me about it or not. Arnica scans the full range of repositories, including all new repos, from day one, while reducing developer effort.

This new reality has eliminated a burdensome monthly process where we would find a handful of newly added repos that hadn’t been scanned and uncover and triage vulnerabilities that had gone undetected as a result. Arnica scans every new repo automatically so vulnerabilities can be dealt with immediately when needed. This keeps our information flow smooth and up to date instead of experiencing a huge spike in risk count when a new repo is discovered by our scanners. Ultimately, things work how they’re supposed to: we observe the graph going up if new vulnerabilities are being added and it goes down when they’re being resolved.

Developer  Experience + Security Experience

At Liongard, due to the nature of our business, we have a large number of repositories. Arnica’s ability to tell us everywhere a vulnerability exists is hugely helpful. We used to work on a given repo to resolve vulnerabilities within it. Now, we look for something specific – AVAX or YARN or VM2 – and we can identify and resolve all instances of that dependency across our environment. Not only is security making developers more efficient at eliminating risk, but developers are also now empowered to move widely used dependencies out of their multiple repositories and into a centralized repository, thus helping us mature our coding practices.

This is why Arnica has won major points across the organization. It doesn’t get in the developers’ way – a big win for developers – and the developers actually use it – a huge win for security. Our developers get findings delivered directly to them in Slack. Our security team doesn’t have to blast the whole org and developers don’t need take on a new tool. It’s all so simple from a developer experience standpoint.

Of equal importance is that developers are getting better at impacting security because of Arnica. Developers can look at a finding based off the file itself rather than the whole repo and get context from severity, exploitability, business importance of the asset, best fix available, and more. Developers spend far less time finding answers. As a result, security issues spend far less time unresolved. These are just a few examples that feel obvious when using Arnica but make it clear that Arnica just ‘gets’ how engineering and security teams work.

Full Visibility & Strategic Control

Gone are the days when we had to sacrifice between access to code and visibility to what is happening within the code. Arnica has allowed us to easily reign back permissions that were stale or excessive, while providing leadership with far superior reporting and insight into what is going on within the code. From a security standpoint, we get a clear and realistic sense of what risks exist across SAST, SCA, IaC, reputation, licensing and more and how to effectively and efficiently fix those risks.

Arnica also gives me the ability to see what hasn’t been touched in a while. When we implemented Arnica, we were able to sorted our repo inventory by ‘Day Since Last Commit’ and found repositories that were created in the early stages of Liongard that hadn’t been touched in a long time. With Arnica’s help, we’ve eliminated dozens of them – all with stale, unmaintained, unused code.

With Arnica’s full coverage and visibility, we’ve been able to establish a clear view on what our vulnerabilities are, when we found them, who’s worked on them, who caused them, who resolved them, and so much more. We can reward and highlight developers that are following secure coding practices and help guide and train those who need support.

The Results

When we first encountered Arnica, we were considering building a homegrown solution to do SAST and SCA. That meant investing developer hours, budget, maintenance and more. Arnica came in and accomplished all of what we envisioned and more without us needing to build and maintain something ourselves. But it’s clear in retrospect that it would have taken us years and multiples of our budget to match the value we get from Arnica.

At the end of the day, our decision to displace our previous tooling and adopt Arnica instead of building something internally was because of the real, tangible value that Arnica delivers. We would estimate that we’re getting 2-3x more value from Arnica than our previous solution just due to its comprehensive solution suite, ease of use for both security and developers, and extensive visibility across our ecosystem.

Within Liongard, the verb we keep coming back to for Arnica is “mature,” and rightfully so. Arnica’s comprehensive scanning architecture, full code coverage, and the nuanced workflows for developers and security teams has had a massive impact. We’ve upleveled across developer experience, secure coding practices, effective permissions management, and of course our application security posture as a result of bringing Arnica into the fold.

Recommended case studies

View all

Complete Genomics transformed its AppSec program by automating vulnerability management and compliance within FDA & HIPAA regulations.

Rigorously prioritized security findings across SAST, SCA, secrets, and more with full context for developers

Developer access requests are handled easily with Arnica's self-service chatops integration in Slack

Activate your pipelineless security in seconds

Book a demo
Get started