Empowering Developers: Security Self Serve and Automated Time-Based Waivers

Tyro is an Australian financial institution that specializes in merchant credit and debit solutions. The company helps its customers improve and grow their businesses.

Founded in 2003 and based in Sydney, Tyro has over 400 employees and 20,000 customers. The company also has about 150 engineers, with several cross-functional teams working together to release innovative products.

Tyro recently empowered their developers to build more secure software by instituting time-based waivers. Here’s how they made it happen.

What Tyro Is Currently Working With

Before we cover what they’re doing to automate security, let’s talk about Tyro’s architecture and deployment cycle.

Tyro uses a microservices architecture, with more than 200 microservices running in production. The team favors pushing small incremental events instead of massive updates.

Like most leading DevOps teams, Tyro employs continuous deployment and continuous release techniques. More specifically, Tyro is able to deploy updates weekly, and they were able to able to simplify the deployment process further with on-demand deployment via a single click. For cloud applications, they deploy continuously.

The Nexus Lifecycle Journey

The company started trying to figure out how to build even more secure software in 2015. This was precisely when they embarked on their application security journey. At the time, Tyro discovered a lot of security issues and had to address them, grandfathering in existing CVEs so their builds wouldn’t break.

It took around two years before the company was able to reduce its nearly 600 security issues to just a handful.

One of the challenges they faced when addressing CVEs was that new CVEs kept popping up. Fix one thing and along comes another. Tyro quickly found out that addressing security issues was a continuous process. When builds would break, they’d have to explain to the team what happened and why it wasn’t an issue (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Justin Reynolds. Read the original post at: