Rapyd Case Study

How Rapyd stays secure amidst rapid growth with Arnica

Nir Rothenberg
CISO
Differentiated AppSec
Full, Opinionated Risk Visibility

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

The Commoditization of Application Security Scanning Tools

Over the years at Rapyd, we’ve used a handful of tools in the Application Security space and evaluated many more. I was convinced that Application Security Posture Management (ASPM) and application security scanning was a commodity – despite marginal differences in the tools, some were worse and some were just bad.

Why? Because the majority of tools in the AppSec space appear to be a productization of a bunch of open source tools. They’re all putting lipstick on a pig – sure they may be different shades of lipstick but at the end of the day, all APSMs seem like a generic dependency scanner or secret scanner plus a little bit of makeup.

How Arnica’s Pipelineless Approach to Application Security Changed Our Minds

At some point, a fellow CISO in a Slack channel I am in suggested that he wanted to write an article on ASPM and I told him he should title it “ASPM. They Are All Just Fine So Get Whatever You Want.” Then, I tried Arnica.

From the get-go, it was clear to me that this AppSec tool was different, starting with the fact that it was built by people who had actually been in the trenches themselves, tasked with building AppSec programs in highly political, complex, global organizations where pushing changes is hard. This was especially clear in the way Arnica responded to each risk type – whether secrets, SAST, SCA, IaC, licenses, or anything else. Each category of risk demands a unique approach and a specific menu of responses and Arnica nails the response to each risk type.  

The demo of these interactions between AppSec and developers felt less like a pitch than a “look at this awesome thing we built.” The functionality that Arnica showed us on day one, like creating branches to push automated fixes and deep integrations with Slack to nudge and assist developers when needed, made it clear that in fact not all ASPM are the same. Arnica blew me away.

One of the coolest things for me is that my application security engineers can tell that the Arnica team understands exactly what they do and what features and workflows would make their lives easier and more successful. I believe that Arnica’s differentiating factor is how deeply their product anticipates what we, as application security practitioners, are trying to accomplish while at the same time anticipating how to do so without taking developers out of their workflows.

Mitigation Workflows that Rapyd Developers Love (And Use!)

Imposing workflows on developers is always a gamble. If it goes wrong, you lose trust with developers – which any security person can tell you is incredibly hard to gain and even harder to regain once lost. Although Arnica is a security company, it is built “developer-first.” All our developers use Slack and git and that is exactly where Arnica meets them.

In Slack, Arnica empowers my application security team to communicate with developers as soon as a risk is found in a code push. With Arnica, we give developers all context as to why we flagged it and how important it is to address the risk immediately. Arnica also gives our security team the ability to toggle the volume of alerts up or down to ensure developers are seeing and acting on the alerts that matter most.

Then, once we’ve got the developers’ eyes on the right risks, Arnica helps walk our developers right up to the fix and even – in the case of secrets – automates the fix for them. With Software Composition Analysis (SCA), for example, Arnica provides our developers a menu of options – highest impact for lowest effort, highest overall security impact, etc. – and does so in real-time, in Slack so that the developer gets the right context at the right time to make the fix easy. We’re seeing an increase in the number of risks being addressed early, as a result.

Arnica Fixes Secrets For Us

Arnica’s deep expertise in the Application Security, and even more importantly how to use deep git internals to build user-friendly workflows has delivered meaningful impact for us for many areas of our program, not the least of which was hardcoded secrets.

As an industry, we’ve been banging our heads against secrets for a long time. In other tools, we might get 1,000-5,000 critical findings but most of it is noise. Arnica changed the approach by beginning with testing the secret using their “secret validation techniques”. Then the secrets are reprioritized based on our unique software development context – was it found in our main product repository or a sandbox?

Off the shelf, we were able to clearly identify and prioritize true positive secrets that were both critical and important. With the help of Arnica, we were able to focus and eliminate each and every critical secret from our codebase.

At the same time, we used Arnica’s workflows to systematically eliminate all new validated secrets from entering our codebase. For newly introduced secrets, Arnica actually rewrites the secrets on behalf of our developers and removes it from the entire commit history – all without the developer doing any additional work.

Once we’d stopped the first group of secret types we cared about from entering code, we expanded our focus to include additional secret types. This way we focused on what mattered the most first. Instead of starting with thousands of secrets, most of which were not real, we narrowed to dozens, which we were able to address rapidly. This workflow is just one example of how Arnica joins a deep, powerful product with incredibly easy user experience.

Rapyd is Building a World-Class Application Security Program with Arnica

Arnica changed my mind that all AppSec tools are the same. We are getting real value from Arnica’s partnership and deep understanding of our application security goals and our developers’ workflows. As a result, we were able to attack and eliminate the most critical risks in our codebase, massively reduce the number of false positives we put in front of developers, and implement active blocking.

We're in the security game with a simple mindset: if you're going to play, you should strive to be the best. We've got a strong team and a great company, but we don’t have the resources of Google or Netflix. That means, as a CISO planning my team’s approach to security, I have to be smart—doing more with less and consistently punching above our weight.

Top-notch tools and strong vendor partnerships are key to building the best application security program possible, and Arnica is leading the way for us in this regard.

Recommended case studies

View all

Complete Genomics transformed its AppSec program by automating vulnerability management and compliance within FDA & HIPAA regulations.

Rigorously prioritized security findings across SAST, SCA, secrets, and more with full context for developers

Developer access requests are handled easily with Arnica's self-service chatops integration in Slack

Activate your pipelineless security in seconds

Book a demo
Get started