Case Study: Full-spectrum DevSecOps for Software Supply Chain Security

Full-spectrum DevSecOps for Software Supply Chain Security


A large North American financial institution needed holistic real-time risk management of its software supply chain from engineering to production that provided accurate security intelligence to both its development and IT operations teams. While keeping a strong security posture was key, this enterprise could not sacrifice production capability for potential security concerns. MergeBase was able to satisfy both requirements, supporting “Dev” and “Ops” while integrating security into the whole process.

“We needed a software supply chain security solution that covered us beyond development all the way into production.”

Customer Background

This Financial Institution is one of North America’s largest payment clearing houses. The company’s mission is to provide efficient, secure, and sound clearing and settlement systems to serve its customers’ interests, which include the largest banks in the Western financial system. The value of payments cleared by the company’s production systems annually exceeds $100 Trillion, which is over $500 Billion on average each business day.

Customer Challenge

Security is a top priority for this major financial services company, as are performance and 24/7 production capability. Balancing the need for security with the requirement for always-on production underlies all the company’s technology purchases and security strategies.

The company occasionally experiences software supply chain security vulnerabilities like all enterprise organizations. That is, software provided by third parties may have flaws that require remediation. When a vulnerability is discovered, the company cannot allow production operations to be impacted or slowed down, as they are required to process hundreds of billions of dollars in transactions each day. Yet the security of those transactions also must be maintained.

Patching vulnerabilities is a complex and time-consuming process. This customer needed a software supply chain security solution that could buy them time to remediate vulnerabilities properly while also maintaining their required strong security posture in the production environment.

Customer Requires Full DevSecOps Coverage for Software Supply Chain Security from Development to Operations

While there are several software composition analysis (SCA) tools available to identify third-party software vulnerabilities and assist in the patching process, MergeBase is the only SCA solution with patented Dynamic Application Surveillance and Hardening (DASH) for Java. This critical feature can monitor and block exploitable Java components in production environments.

The clearing house company’s security leadership was intrigued by MergeBase and its Dynamic Application Surveillance and Hardening capability. With decades of IT compliance and cybersecurity experience the customer’s CISO understood the importance of embedding SCA into their software development lifecycle (SDLC).

The MergeBase solution provides real-time visibility, from the development and testing phases, through staging, and all the way into production systems. DASH is able to monitor and defend against vulnerabilities running in operations (the “Ops” in DevSecOps). Most SCA solutions that the company had previously considered only covered the development or “Dev” side of DevSecOps, offering no visibility into the status or state of third-party security in operations.

The security team was excited by the solution’s ability to monitor or block a Java software library that contains a CVE or known vulnerability. However, they needed more granular control because shutting down a whole software component would generally stop production, which simply isn’t an option for them.

While Runtime Monitoring could be used with minimal impact on production, what they really wanted was the precision capability to block a single function or method that was vulnerable while allowing the other functions in the Java software component to continue operating normally. Generally, a CVE only affects a single method within the library (e.g., JndiLookup in Log4j), so Dynamic Application Surveillance and Hardening could be much more useful if a single method could be blocked versus the whole library.

The customer also wanted to use this capability to proactively harden their enterprise applications by blocking the execution of all unused Java methods before a vulnerability was reported. This would reduce their application attack surface, which was vulnerable to a potential zero-day exploit, breaking the attackers’ kill chain proactively and minimizing risk.

MergeBase Delivers on the Customer’s Request

At MergeBase, we always listen closely to our customers, and this request made great sense. Not only would it meet their requirement, but it would also significantly increase the usability and value Dynamic Application Surveillance and Hardening provides for all our customers. So, we got to work on the feature request right away, and within a few development cycles, this customer was beta testing Dynamic Application Surveillance and Hardening 2.0 with method or function control within Java software components.

By offering DASH, MergeBase is able to give customers the ability to remediate third-party software vulnerabilities on their own schedule without being at risk of exploitation. This buys them as much time as needed, including forever, if necessary, to address software vulnerability issues. There is no risk to security or production with MergeBase’s Dynamic Application Surveillance and Hardening while customers are waiting to patch, even if that patch never comes or is never deployed.

“From our development pipeline to deployment into production, MergeBase keeps us aware of our third-party software risk and helps us to manage it effectively. Thanks to SCA Dynamic Application Surveillance and Hardening for software components and methods, we now have powerful and precise options in Operations to maintain full production other than sacrificing security while waiting to patch.” - FINANCIAL INSTITUTION CUSTOMER CISO

Driving Customer ROI: “Shifting Right” to full DevSecOps for Software Supply Chain

While the customer’s “SecOps” requirement drove them to explore, collaborate, and ultimately select MergeBase as their software supply chain security vendor, they also derived increased ROI. MergeBase’s highly accurate SCA platform has the lowest rate of false positives in the software composition analysis industry, which saves valuable developer time on every build.

Furthermore, MergeBase provides the most complete SBOM (software bill of materials) capability of any SCA solution, offering import and export, as well as supporting both major formats of CycloneDX and SPDX. After two years of using the MergeBase SCA platform, the financial institution’s security leadership appreciates having end-to-end visibility of its software supply chain and tools to reduce risk.

About MergeBase

MergeBase is the only software supply chain security platform offering complete SBOM and full- spectrum DevSecOps support from development to operations. With its highly accurate software composition analysis (SCA) scanner, comprehensive software bill of materials (SBOM) engine, and patented Dynamic Application Surveillance and Hardening for Java capability, MergeBase is a unique application security solution providing real-time visibility of third-party software risk from engineering into production. DASH hardens applications against known Java exploits and zero-day vulnerabilities, proactively reducing software supply chain attack surface.

Book a demo today and see what real-time visibility into your software supply chain security looks like.

Shannon Smith

About the Author

Shannon Smith

After two decades in cybersecurity and software, Shannon has gained a deep understanding of the application security space. Shannon earned business degrees at the University of Washington (Seattle) and EDHEC (France) in Innovation, Strategy, and Information Technology.