Arnica helped FullStory create paved pathways for our developers to de-risk our business without disrupting workflows or velocity.
The Challenge
Fractured AppSec Tooling, in the Wrong Place
As a security team, we’re always looking to address blind spots or coverage gaps in our ecosystem. Many application security tools have tried to build a cohesive and comprehensive platform – it’s hard to keep track of all the Application Security Posture Management (ASPM) tools in the market. We found overwhelmingly, that using these tools has felt like plumbing three different sources to three different sinks – not a lot of orchestration of data or workflows. Ultimately, we found that the effort required to maintain all these disparate tools was seldom worth the incremental security gains.
All of the tools we examined require that we integrate with our CI/CD workflows. But, a CI/DC integrated approach came with inherent fragility. We found that tools which rely on pipeline integrations result in delayed and disconnected feedback, incomplete build stages, increased timelines to resolve risks, and significant energy to assuage legitimate developer fears over increased development times. We found ourselves spending far too much time managing the negative side effects of our tools, rather than leveraging the value of them.
Bad Outputs, Bad Workflows, Broken Trust
Application security tools are infamous in developer circles for yielding a high volume of low-quality findings. So many tools over index on the idea that more findings is better. But the result is a deluge of alerts, many of which are false positives, lacking in context, lacking a clear mitigation path, or all treated indiscriminately as critical. Most often, the results combine a number of these negative factors.
Compounding the impact of bad outputs is the fact that only a small number of security tools truly understand the way that security teams operate. Fewer understand the workflows of developers and DevOps teams. For us at FullStory, this reality ended up complicating the processes and interactions between our security and engineering teams because the outputs of our security tools proved to be both noisy and untrustworthy, wasting valuable developer cycles and causing developer frustration. Our security team necessarily put themselves between our existing tools and the developers to ensure that any security issues handed over were both valid and important. Even then, identifying the owner of a valid and important issue required time and energy from the engineering teams.
Limited Application Risk Visibility and Context
The tools that we were previously leveraging represented, more or less, a black box in terms of providing clarity into why certain risks were being prioritized. Furthermore, we had very little confidence that all the areas we expected to be scanned were being scanned. Without a deep sense of the ‘why’ behind outputs from our application security scanning tools, we often found prioritization to be a major challenge due to the mountain of alerts and lack of ability to discern which were any combination of valid, important, severe, and fixable.
The Solution
Unified AppSec That Works for Developers
As a true application security platform, Arnica gives us the best of all worlds in the sense that we get a single platform that integrates best-in-class open-source tooling with rich and flexible customization built on top. With static code analysis, for example, it has been invaluable for us to be able to customize rules to explicitly cater to the way our codebase is structured.
Our ability to analyze, search, and aggregate our AppSec findings in Arnica is incredibly robust. Our team doesn’t have to think about how to get value from Arnica, we get to focus on utilizing the value we get from Arnica’s configurable and high-quality outputs. It’s rare that I use a platform in which I am able to find the answer to a given question completely; Arnica does this. Every finding is delivered with deep context such that we have a keen sense of what is important and why. Equally impactful is that when our security team brings an issue to engineering, we hardly ever need to defend or justify the issue because Arnica provides rich context to the developer from possible patch versions to what vulnerabilities exists in each version to which patch version eliminates the, some, or all vulnerabilities and more.
Happy Developers, Happy Security
Now that Arnica has given us the ability to understand the risks in our environment, we needed to find a way to engage our engineers directly – to go where our “customers” are aka developers. We’ve built policies to engage engineers thoughtfully and in a way that dramatically decreases the overall effort across our team as well as the developers.
When one of our developers pushes a valid hardcoded secret, we send a message in Slack to the developer immediately letting them know that Arnica fixed it for them. The developer, with nearly no effort, can fix the secret before it’s ever introduced, and the security team never needs to take action on this risk averted. Arnica’s validation increases the efficacy of our engagement with developers because we can prioritize 100% validated secrets with 100% confidence as opposed to bombarding developers with false positives.
Similarly for risks outputs from Static Application Security Testing (SAST) or Software Composition Analysis (SCA), we’ve been able to reduce mean-time-to-awareness of the risk for the developer as well as mean-time-to-remediation. The engineer is enabled with the context, the criticality, and the remediation path before security ever gets involved. They are empowered to act – or not – in real time, which saves everyone time.
Full Visibility & Actionability of Every Risk
For our security team, the level of depth provided has been a game changer. As a starting point, Arnica provides excellent visibility into the jobs that are running and the outputs of those scans. We don’t need to pick what we want to monitor, because 100% of our development environment is being scanned.
As a next step, the detail that underpins each risk makes prioritization and triage dramatically easier. We get CVSS, EPSS, and KEV scoring, remediation paths, and more. Arnica automatically classifies each product or asset based on its priority for our business, which we can adjust at any time. And lastly, Arnica gives us the people best suited to fix a given issue. With rich context to the severity and importance of the risk, the effort required to fix it, and the person best suited to do so, we’re able to save a huge amount of time when we need to triage alerts to the engineering teams.
It is easy to get tunnel vision as a security team. Arnica shows us our data at scale across our organization, which makes it much easier to take a pragmatic approach to solving risks in bulk, rather than risk-by-risk.
The Results
FullStory is seeing the impact of Arnica’s pipelineless approach, every day. Getting the full inventory, context, priority, and owners for all risks in our ecosystem, with deep and thoughtful developer workflows for risk mitigation, has been invaluable. Adding Arnica has significantly helped FullStory to create a paved pathway for our developers to de-risk our business without disrupting workflows or velocity.
Application security findings, when spread across many distinct tools and interfaces, can make it difficult to prioritize risk and remediation plans. Arnica empowers us to avoid tunnel vision by centralizing all our results into one hub for security, engineers, and leadership to understand the holistic risk per code base and effectively and efficiently reduce that risk.
