How LTP and Apiiro Together Forge a Stronger, Resilient Framework

Background

Digital asset prime brokers like LTP depend on a complex suite of interconnected applications to better serve their clients and further innovation in the digital asset marketplace. As their security team sought to place greater emphasis on identifying and managing vulnerabilities across these applications, they turned to Apiiro. Our team offered a solution to help streamline their security processes, reduce vulnerability management times, and enhance their overall application security posture.

Highlights

Challenge

LTP’s diverse and complex business operations require robust support from external experts to assist in identifying, managing, and addressing vulnerabilities, including common weakness enumerations (CWE) and CVEs in application code. This collaboration with external teams is crucial to ensure the comprehensive validation of application vulnerabilities, such as those identified by Apiiro, and to maintain smooth and secure operations across our extensive systems.

Solution

Apiiro, with the support of Aerowave Technologies, provided LTP with a unified AppSec platform, offering full support of supply chain levels for software artifacts (SLSA – which includes SAST, SCA, and pipeline security) and a high-level, consolidated view of their application security.

Result

LTP developed capabilities to build an SLA/MTTR framework for code security, prioritize vulnerabilities via filtering in software composition analysis (SCA), and reduce their reliance on multiple security tools, resulting in significant time savings and improved DevSecOps processes.

The Challenge: Managing Vulnerabilities with Complex Business Operations Duties

The complexity and breadth of LTP’s operations demand a multi-faceted approach to reducing vulnerability exposure. Success is measured by two key performance indicators: external vulnerability discovery post-launch and internal discovery pre-launch. These metrics, evaluated by the number and severity of vulnerabilities, present a challenge given the scale and complexity of LTP’s operations.

Each day, LTP’s security team reviews the previous night’s security events, analyzes them, and optimizes alarm rules. They also conduct baseline scans and assess business risks to ensure smooth operations. Given the complexity and scale of their applications, the team continuously seeks to enhance their capabilities by leveraging external expertise and support, further reinforcing their robust security framework.

Given the scale and demands of their business, LTP sought external tools and expert teams to assist in identifying and managing vulnerabilities, particularly those with business-critical risks. These tools needed to streamline security processes, consolidate key features like SAST, SCA, and secret detection, and ensure seamless integration with ticketing systems like JIRA.

The Solution: A Unified Platform with Comprehensive Security Capabilities

LTP chose Apiiro after a successful proof of concept (POC), recognizing its comprehensive support for single supply chain levels for software artifacts (SLSA), including SAST, SCA, and pipeline security. Apiiro’s ability to provide a well-rounded view of application security complemented LTP’s already robust security practices, further strengthening their overall security posture.

With the assistance of Aerowave, Apiiro helped LTP consolidate their security tools into a single platform. This consolidation provided LTP with multiple filters in their SCA processes, allowing them to prioritize vulnerabilities based on factors like whether they were used in code or exploitable. Additionally, Apiiro’s integration capabilities with Github, JIRA, and future CNAPP solutions were crucial in streamlining LTP’s security processes.

Result: Streamlined Processes and Improved DevSecOps

Apiiro’s solution empowered LTP to build an SLA/MTTR framework for their code security, which in turn helped them demonstrate the value of their security team. The ability to easily view security checks based on each repository allowed LTP to prioritize their work efficiently.

By streamlining vulnerability management and enhancing their DevSecOps processes, LTP was able to optimize their security efforts, allowing the team to allocate resources more efficiently while maintaining their strong focus on security. Apiiro’s unified platform eliminated the need for multiple tools, saving LTP considerable time and effort in learning and integrating different systems.

Moreover, Apiiro’s continuous code monitoring enabled LTP’s developers to not only see and detect risks in their components, but also to download a fixed version, which greatly accelerates the process of reducing security risk.

In the future, Apiiro’s strong integration capabilities will enable the LTP team to integrate AppSec workflows with their Aqua CNAPP, deepening the holistic view of security across multiple layers.

Conclusion

Security is a core principle and a non-negotiable priority for LTP. They consistently dedicate substantial resources and effort to building and maintaining a robust security framework, ensuring that every aspect of their operations is safeguarded. LTP’s proactive investment in advanced technologies and expert teams reflects their commitment to not just meeting but exceeding industry standards. By partnering with Apiiro, LTP further enhances their capabilities, leveraging Apiiro’s solutions to streamline processes, reduce MTTR, and lower vulnerability discovery scores. This collaboration, built on LTP’s foundational focus on security, has strengthened their overall security posture, enabling them to effectively manage risks, ensure business continuity, and achieve growth.

LTP is a premier prime brokerage serving sophisticated investors in the digital asset space, with security as the cornerstone of their operations. Recognizing the complexity and scale of their business, LTP prioritizes security above all else, ensuring that their infrastructure is fortified against any potential risks. In pursuit of maintaining these high standards, LTP chose to collaborate with us at Apiiro. Our comprehensive security solutions are tailored to meet LTP’s rigorous demands, enabling us to support their mission of ensuring uninterrupted business continuity and maintaining a robust security posture across all aspects of their operation.

How Cloudera balances development speed and product security with Apiiro

Background

For an organization such as Cloudera that manages huge amounts of data across truly hybrid cloud and on-premise environments and supports many high-profile, highly-regulated enterprise customers, security has to be more than just a feature. It’s core to their business.

Highlights

• Cloudera needed a partner to assist in speeding up the time-to-resolution of security vulnerabilities, as well as help them assess their security posture and gaps.
• Apiiro provided Cloudera with a continuous inventory of their application components, including open-source dependencies, licenses, and all APIs.
• Cloudera used Apiiro to consolidate security tools and got the automated context they needed to surface business-critical risks proactively and fix them faster.

The challenge: Meeting security expectations for a complex application

Cloudera knows that maintaining a strong AppSec program and implementing top-notch tools is of utmost importance. Their product security team is also subject to strict SLAs for addressing critical security and compliance risks to fulfill their customers’ and partners’ requirements.

Because their applications are so multifaceted and quickly evolving to drive customer value, making sense of their application and software supply chain threat landscape had always been a challenge. And with several sources of security data being managed and addressed independently, Cloudera needed a way to consolidate and optimize their workflows to fix critical issues faster and proactively.

The solution: Holistic application visibility and risk-based automation

Cloudera deployed Apiiro and gained a full inventory of their applications—including open source packages, data flows, APIs, and much more. As part of Apiiro’s inventory, Cloudera also got insight into their connections with one another, their associated risks, and their historical changes. Apiiro’s deep code analysis provided the foundation for the application security team to differentiate vulnerabilities from risks. 

Cloudera knew that the key for security to keep up with agile development was to ensure that the product was built securely from the beginning. Apiiro helped the Cloudera product security team take that goal a step further by “shifting security everywhere,” ensuring that security checks are accomplished throughout the lifecycle without slowing developers down.

The impact: Reducing backlogs with deep code-to-cloud context

With Apiiro’s holistic approach to application and software supply chain security, Cloudera’s product security team was empowered to consolidate their AppSec tools and streamline their entire program.

• Apiiro gave Cloudera a thorough view of their applications before and after deployment, from the code to the cloud, to deeply understand their security posture and assess their security coverage gaps.
• By consolidating their independent tools and providing invaluable business and application context, Apiiro helped Cloudera surface the most critical risks to cut through the noise, reduce their backlog, and save time fixing risks.
• With Apiiro’s continuous code monitoring and automated developer guardrails on new pull requests, Cloudera was able to empower developers to see the issues before they are released—without security getting involved and with no need for additional training.

How Paddle created a force multiplier for AppSec with Apiiro

Highlights

• As Paddle built out its application security program, they sought a partner to enable them to act as a force multiplier to boost their proactive security efforts and focus on the most business-critical risks.
• With Apiiro’s deep ASPM platform, Paddle was able to get an aggregated view of their application inventory and a single hub for enforcing security policies earlier in the development lifecycle.
• Apiiro not only ingested and enriched Paddle’s existing security testing but also consolidated and expanded their security coverage with next-gen open source security, secrets security, and software supply chain security.

The challenge: Delayed releases due to reactive security

As a payments infrastructure provider, Paddle’s application threat landscape is significant—including all the risks associated with payment security and privacy, as well as the security of the Paddle application itself. As a small application security team building out its AppSec program, Paddle knew they needed a way to multiply their efforts and foster better collaboration with development teams.

Vulnerabilities from their existing tools were being surfaced too late in the SDLC, leading to delayed code releases and internal friction. But collaborating with the developers or engineering teams to address risks was also challenging because they didn’t have insight into who owned what.

Paddle sought a solution to help them adopt a proactive, developer-centric approach to application security and optimize their existing tooling and manual risk assessment processes such as pen tests, security code reviews, and threat modeling.

The solution: Developer-centric and risk-based AppSec

Paddle rolled out Apiiro in a staged approach to gain visibility across its application estate, use that context to build risk-based policies and developer workflows, and then measure and optimize their program success over time.

Through Apiiro’s easy-to-install GitHub integration, Paddle quickly got a complete inventory across their nearly 500 repositories, including technologies, open source usage, exposed secrets, sensitive data, and development behavior. That visibility, coupled with the ingestion of vulnerability findings from existing tools, gave them an aggregated view of risks. It also enabled them to prioritize based on business impact and risk likelihood and connect risks to their root cause in code and developer owner. 

Apiiro also provides a single hub for implementing policy-as-code, helping automate developer guardrails and enforce application security best practices on every pull request. This allows Paddle’s application security team to meet the developers where they’re comfortable with a common taxonomy.

The impact: Force multiplying application security

Apiiro’s continuous application inventory, policy-as-code engine, and application risk control plane have acted as a force multiplier for the Paddle application security team.

• Apiiro monitors 100+ pull requests per week, blocking high-risk changes that need additional assessments, and giving developers the remediation context they need right then and there.
• By saving them time combing through all code changes to identify only relevant, risky ones, Apiiro acts as a force multiplier for the Paddle application security team, giving them back 2 days’ worth of work per week.
• Apiiro’s reports and dashboards allow everyone—from executives to security champions—to measure risk and understand security’s impact on engineering productivity metrics such as those outlined in DORA.

Bonus use case: Deepening security coverage with Apiiro SCA + SSCS

In addition to leveraging Apiiro’s ASPM to solve their core challenge of enabling a developer-centric approach to security, Paddle saw Apiiro as an opportunity to consolidate and deepen their application security testing coverage.

Paddle now leverages Apiiro’s open source and software supply chain security solutions, giving them fully integrated visibility and risk detection across packages, repositories, and pipelines.

“Since introducing Apiiro’s Software Supply Chain Security (SSCS) at Paddle, we have been able to ensure pipelines are set up securely and have improved insights into the configuration of our source control repositories—a capability not provided by traditional AppSec tools. This heightened visibility, coupled with Apiiro’s risk-based prioritisation and policy engine, instills confidence in our capability to continually measure supply chain risk and assess against best practice moving forward.

– Colin Barr, Senior Engineering Manager – Application Security, Paddle

How SoFi empowers development velocity while reducing application risk

Highlights

• As SoFi started building out its application security program, they sought a partner to go beyond ad hoc AppSec testing, lack of application visibility, and hours spent on security design reviews.
• With Apiiro’s help, SoFi’s application security team reduced time spent identifying, assessing, and addressing new application risks from days to hours. 
• In supporting their mission to enable versus block developers, Apiiro gave SoFi the context and automation they needed to define and trigger risk-based policies at the right time in the right place.

The challenge: Supporting business velocity while reducing application risk

Like most fintech organizations that depend on agile development processes to be constantly innovating, SoFi meticulously balances its organizational goals with its risk appetite and compliance requirements. For the SoFi application security team, that means deeply understanding and mitigating application risk without slowing down development velocity. 

As a team of 16 supporting 2000+ developers across 5200+ repositories, the SoFi AppSec team knew they couldn’t possibly manually review each and every code change. They sought a partner to help them gain visibility across their application portfolio to focus on the most business-critical risks, scale their security review efforts, and optimize the time they spent fixing risks.

The solution: Visibility-first context and AppSec automation

With Apiiro’s application security posture management (ASPM) platform, SoFi’s AppSec team was able to build an exhaustive inventory of their application technologies, components, and attack surface—from repositories, APIs, and open source packages to contributor activity, material code changes, and beyond. Apiiro also provides out-of-the-box insight into exposed secrets and sensitive data in code, open source vulnerabilities, API security weaknesses, and more, giving them a single pane of glass for prioritizing application security findings.

Apiiro gives SoFi’s team continuous oversight into potential risks that need security design reviews by analyzing commits for material code changes in the context of their application. Leveraging Apiiro’s policy engine, SoFi can define exactly what they categorize as a critical business risk. Then, whenever a risky material code change or risk is flagged, Apiiro’s workflows trigger the appropriate process, such as creating a security design review ticket.

The impact: Minimizing and optimizing security reviews

Combining automation and context powered by Apiiro’s deep code analysis enables SoFi to prevent new risks without blocking developers.

• By triggering the right processes at the right time with the right context, SoFi’s AppSec team went from spending hours analyzing design reviews to 5-15 minutes.
• By tying critical risks to their relevant code owners, Apiiro enabled SoFi to reduce their mean time to remediation (MTTR) from 8 days to 10 minutes.
• SoFi’s AppSec team got near-instant visibility across their entire application portfolio, including subsidiaries, that they didn’t have before, allowing them to focus on areas to improve risk with minimal effort.

GSoft Case Study

GSoft lacked visibility across all repositories, making it challenging to properly classify, recognize, and focus on the most critical risks. In addition, without automation, their two-person team could not continuously monitor changes made by 130+ developers to fix issues that were most important to the business and their customers.

Solution

• Apiiro indexes all of the application components so that even their small AppSec team can quickly identify and prioritize high-risk vs. low-risk issues.
• Compared to other application security testing tools, the Apiiro platform analyzes every pull request in seconds to significantly decrease the time to remediate.
• Apiiro’s SCA functionality activates as soon as it is connected to the source control manager and immediately surfaces all of the open-source elements without a need for extensive and time-consuming integrations.

Results

• Apiiro saves GSoft many hours of AppSec work daily on integrations between security tools and applications, leading to significant cost savings and improved efficiencies.
• Apiiro also saves 30 minutes per day for every active developer, which amounts to 65 hours per day across the whole team, giving it an additional capacity of eight developers.
• The saved development and application security time is now applied to delivering more customer value and increased time-to-market velocity for important product features.

How Navan automated AppSec governance throughout the development lifecycle with Apiiro

Highlights

• Navan gained nearly instant visibility into all its components, risks, and material changes across repositories and applications.
• Navan replaced manual security reviews and alert triage with automated risk assessments and prioritization across hundreds of weekly pull requests.
• Navan shifted application security earlier in the development lifecycle with actionable, risk-based developer guardrails.

The challenge: Automating AppSec early and at scale

Like many AppSec teams, Navan’s didn’t have nearly enough cycles or resources to manually keep up with the hundreds of pull requests created each week. Even with multiple AppSec tools in place, they couldn’t guarantee that new changes were risk-free. Inundated with alerts, they also struggled to understand how constant code changes would actually impact their application attack surface.

Without a consolidated and automated way to prioritize noisy alerts, the Navan AppSec team needed a solution to reduce noise, ensure accuracy, and determine the most critical risks that needed to be remediated.

The solution: Continuous visibility and governance

Shortly after integrating Apiiro into their source control manager (SCM), Navan started getting continuous visibility into risky areas and behavior. By consolidating findings from native and third-party tools into a single pane of glass, Apiiro was able to correlate, deduplicate, and prioritize alerts to focus on what matters. By knowing what was and wasn’t a real risk, the Navan AppSec team freed up triage cycles and dramatically cut down the alert backlog.

After assessing and understanding their risk, Navan implemented automated workflows to alert their AppSec team when a risky commit or pull request was introduced. That proactive approach and Apiiro’s ability to tie risks to code owners decreased the time it took them to remediate issues.

The impact: Reducing overall application risk

By automating Navan’s application security visibility, risk assessment, remediation, and prevention, Apiiro helped optimize its team resources while reducing its overall application risk.

• Apiiro enables Navan to continuously and automatically maintain visibility across their applications and identify material changes that may create risk.
• Apiiro’s risk-based alerts allow the AppSec team to ensure that out of hundreds of pull requests each week, risky changes are identified automatically.
• With Apiiro’s built-in code security solutions, Navan can gain visibility into risks such as exposed API keys and credentials in code, sensitive data, and more at scale.

Rakuten Rewards Case Study

Challenges

• Understanding application risk as early as product design through software development and production systems.
• As a security and risk team, it is difficult to ensure effective security across thousands of projects and repositories. People cannot effectively understand risk posture at scale without automation.

Solution

• Apiiro helps with collecting, organizing, and continuously tracking all data that is risk-related and can be tied to code.
• Apiiro creates a risk-based inventory that is continuously updated so the security team can understand their application security posture at any point, in real-time.
• Apiiro not only prioritizes the right risks, but provides a top-down view so Rakuten Rewards can understand their overall application risk and drill-down to the details, as needed.
• Apiiro first sheds light on technology with its inventory and then uses context to help make risk-based security decisions

Results

• Apiiro workflows save hundreds of hours every month by automating previously-manual tasks such as prioritizing alerts, investigating risks, and
  remediating vulnerabilities.
• Apiiro enables Rakuten Rewards to leverage context to make risk-based application security decisions, improve its risk posture and Shift Left.
• Improves efficiency by continuously correlating and orchestrating code and infrastructure security alerts in one platform.