Quorum, a prominent public affairs software company, provides solutions to engage in legislative tracking, grassroots advocacy, and stakeholder management. Headquartered in Washington, D.C., Quorum serves a diverse clientele, including government affairs professionals, nonprofits, and advocacy groups. Leveraging AWS infrastructure, Quorum ensures its services are reliable, scalable, and secure.
To satisfy PCI and SOC2 requirements and to improve the security posture of their applications in the cloud, Quorum looked to implement a product security solution to scan their code and cloud infrastructure for potential vulnerabilities.
Quorum’s AWS Architecture
Quorum extensively utilizes AWS to host its applications. The company operates primarily in the US East region to meet data residency requirements for its US-based clients. The architecture follows a hub-and-spoke model, employing various AWS services such as EC2 for compute, S3 for storage, and other services for immutable backups. In order to automate their deployments and simplify debugging, Quorum is currently containerizing their services and experimenting with Lambda to run their microservices.
Additionally, Quorum uses AWS Security Hub and AWS Inspector for continuous security monitoring and compliance checks.
The Challenge: Securing code without slowing developers down
Kelly Johnson, overseeing product security at Quorum, was looking to revamp their current product security process – which involved pentesting applications in runtime, and triaging the results back to developers.
While Kelly wanted to continue running Dynamic Application Security Testing, he needed to broaden the scope of security testing tools to resolve issues early in the SDLC and meet compliance requirements.
He identified several challenges in their application and cloud security processes:
- Developer adoption: Ensuring developers integrate security practices into their daily routines without hindering their productivity was crucial. As Kelly put it, “what’s going to help the developers do their jobs better?”
- Noisy alerts: Development and security teams are often bombarded with security issues after scanning their apps and cloud infrastructure – Quorum needed a solution that would focus their attention only on the most critical risks.
- Fragmented coverage: Quorum preferred a solution that could provide full security coverage – from code to cloud covering SAST, DAST, SBOM, secrets detection and more – without the complexity and costs of managing multiple disparate tools.
Solution: Jit's Developer-friendly approach to security
Quorum chose Jit's Open ASPM platform due to its developer-friendly design and comprehensive security coverage. Jit integrates seamlessly with AWS services and development tools, providing a unified approach to security.
Developer-Friendly User Experience
Jit's stood out from other product security solutions with its ease of use for developers. Developers use Jit entirely within their GitHub environment, so they can identify and resolve security issues without leaving their environment. Plus, Kelly mentioned how noise reduction helped developers focus on what mattered most to the business, without wasting time chasing noisy alerts:
“We wanted to try to reduce the noise and get the important things we can triage. Which ones do we need to tackle first? And I think Jit helps out tremendously with that.”
According to Kelly’s estimate, this had the impact of 50% faster issue resolution compared to their previous state.
Developer feedback at Quorum has been overwhelmingly positive. The intuitive interface and integration with existing tools have made it easier for developers to adopt security practices without slowing them down.
Comprehensive Security Coverage
Jit provides extensive security coverage, from code to cloud, by consolidating eleven different code and cloud security scanners into a single platform. Quorum implemented Jit’s out-of-the-box security controls, including:
- Static Application Security Testing (SAST): Identifies vulnerabilities in code during development.
- Dynamic Application Security Testing (DAST): Scans running applications for vulnerabilities.
- Software Bill of Materials: Detects open source components and their associated licenses.
- Secret Detection: Identifies hardcoded secrets in code repositories before production.
Jit also includes controls like Software Composition Analysis (SCA), IaC security scanning, CSPM, CI/CD security, container scanning to provide an all-in-one platform for product security.
Infrastructure-as-code scanning
Quorum uses Infrastructure-as-Code (IaC) to provision AWS services, including EC2 and RDS. They needed a way to scan their IaC for security misconfigurations before they were deployed, so they could consistently resolve security issues before production (among other vulnerabilities in their code).
To do this, they leverage Jit, which scans their IaC files during every Pull Request - providing automated security feedback for developers. This helped Quorum consistently resolve potential security misconfigurations of their AWS services, like S3 buckets or RDS instances that are accessible to the public.
Fast onboarding
The implementation of Jit at Quorum was smooth and efficient. Starting with a proof of value (POV) on a few repositories, the team quickly realized the benefits and proceeded to roll it out across the rest of their codebase.
After installing Jit’s GitHub application, it enabled one-click activation for each security control across all desired repos.
Improved security postureQuorum saw a significant improvement in their security posture after implementing Jit. With automated feedback for every code change, developers were able to consistently and independently resolve security issues before production after implementing Jit.Kelly estimated an 80% reduction in security issues that would have previously slipped through manual code reviews.
Looking ahead
Quorum's partnership with Jit has significantly enhanced their application and cloud security while boosting developer productivity. By providing a developer-friendly platform with comprehensive security coverage, Jit has become an integral part of Quorum's security strategy.
As Quorum continues to scale, Jit's integration with AWS will play a crucial role in maintaining their security and compliance standards.