Perion, a global advertising technology company, provides innovative solutions for brands and publishers, enabling them to reach their audiences effectively. With a strong emphasis on data-driven insights and a cloud-native infrastructure, Perion operates at the forefront of digital advertising. To maintain their competitive edge, Perion relies heavily on AWS to power their operations, ensuring scalability, reliability, and security.
Perion’s AWS Architecture
Perion uses AWS to host the vast majority of its production workloads on AWS. Their AWS environment includes a range of services such as Lambda for serverless computing, S3 for storage, RDS, and EC2 for compute instances. Perion's microservices architecture runs on Kubernetes, managed via Amazon EKS, which allows them to deploy, manage, and scale containerized applications efficiently.
The Challenge: Enhancing Security While Maintaining Developer Velocity
Perion faced several challenges in their application security posture management (ASPM) program:
- Multiple Security Vendors: Perion previously relied on two separate vendors to manage their security needs. This fragmented approach required separate controls and added complexity to their security operations.
- Lack of Business Context in Security Alerts: The security alerts provided by these tools lacked the necessary business context, making it difficult for developers to prioritize and address them effectively.
- Developer Adoption: Ensuring that developers were actively engaged in the security process was a critical objective. Alerts that were not integrated into their existing workflows often went unnoticed or were not resolved in a timely manner.
Solution: Jit's Application Security Posture Management (ASPM) Platform
Perion turned to Jit's ASPM platform to address these challenges. Ben Hacmon, CISO of Perion, summarized his move from two vendors to one: “So we had to use both to get the best of both worlds. But now, you give it, you give us the best of both worlds.”
Developer-Friendly Integration
One of the key benefits Perion experienced with Jit was the platform's ability to provide security recommendations directly within GitHub pull requests (PRs) as comments. This feature eliminated the need for developers to switch between different tools, allowing them to address security issues without leaving their development environment. This seamless integration ensured that security became a natural part of the development process, significantly improving developer buy-in.
Ben Hacmon, CISO of Perion, emphasized the importance of this integration: "The fact that they don't need to switch windows and to open new links and research it themselves, just give it to them in their own language. That makes a huge difference."
Once developers were able to independently resolve security issues themselves with Jit, it improved their SLA for resolving security issues by 6.2% after just a few months. As Ben put it, "We used to have R&D teams breach SLAs constantly, but now it's much better."
All-in-one Product Security Platform
Jit provided Perion with full product security coverage in a single platform, rather than maintaining separate tools.
By consolidating many security controls into a single platform, Jit reduced the complexity of managing security scanners and findings. The platform covered different controls, including:
- Static Application Security Testing (SAST)
- Software Composition Analysis (SCA)
- Secrets Detection
- Software Bill of Materials (SBOM)
- Open Source License Checking
Working with AWS to improved prioritization with business context
To effectively prioritize security vulnerabilities, the Perion security team needed to understand the runtime context for each security issue detected by Jit. This was achieved using Jit’s integration with AWS.
Perion launched a CloudFormation template to automate the integration, which requires read-only permissions to gain visibility into their AWS environment. This enabled Jit to map each vulnerability to the lambda functions, EC2 instances, RDS instances, and other AWS services in their environment. For example, with this integration, Perion can see whether vulnerabilities are deployed by a Lambda in production, are connected to an internet-facing API gateway, or call sensitive data stored in RDS. This allows Perion to prioritize high-risk vulnerabilities, while weeding out the noise.
The integration of business context into security findings have helped reduce alert noise, while ensuring developers prioritize issues based on their impact to the business. Ben highlighted the importance of using business context to prioritize security findings: "If you put out something and call it critical, but that repo is not internet-facing, then it's not really critical. The business intelligence makes all the difference."
With Jit, Ben’s team and developers are able to quickly prioritize issues according to their runtime and business context – such as vulnerable code that calls a sensitive database or a cloud security issue that could enable privilege escalations.
Improving security posture with a faster developer UX
Perion's experience with Jit demonstrates how optimizing the developer UX can create measurable security improvements. By providing comprehensive security coverage with a fast developer UX and the necessary business context, Jit has enabled Perion to enhance their security posture without compromising developer velocity.
As Ben put it, "You built the control in such a way that fits perfectly with how we do cyber. It’s really working for us."