Juno Journey: How Juno Journey Implemented Full Product Security Coverage in Days

Juno Journey: How Juno Journey Implemented Full Product Security Coverage in Days
User story quote

Juno Journey is an exciting learning and development startup that is changing how organizations onboard, train, develop, and engage employees. They offer Juno LXP and Juno LMS as product solutions for tier 1 organizations to manage their L&D processes. Juno's unique LXP (learning experience platform) offers unlimited access to a variety of content providers, allowing employees to find relevant content for their learning needs, while their admins enjoy analytics dashboards and easy-to-use budget management tools. Juno LMS is a dynamic learning management system (LMS) that offers tools to consolidate organizations' internal materials and create engaging learning and training journey experiences for their employees, customers, and partners. 

Experiencing rapid growth to 60 employees, Bar Maoist joined Juno Journey to build and optimize their DevOps operation from the ground up. With a background in DevSecOps Engineering, his priority was to focus on integrating security, without impacting the engineering team’s velocity. To date, most security was applied manually, with tools like NPM audit, and some freestyle security engineering as needs arose.

To enable velocity coupled with security, as a first order task, Bar set out to migrate their infrastructure from a PaaS operation on Heroku, to serverless architecture built on Google Cloud Platform (GCP), to remove the friction and overhead of infrastructure management. Built on a modern cloud native MERN stack, coupled with Managed Container Services and Cloud Run on the runtime side, and Github Actions for their CI/CD; it was clear that security needed to be integrated into their automated processes to provide greater coverage for the code, infrastructure, and the supply chain.

Following market research, Bar discovered and selected Jit, which would begin by providing him with an inventory and understanding of what’s actually happening inside his tech stacks end-to-end, alongside additional controls for every layer of the stack. The next step was to get the engineering team onboard and embed greater security awareness in their culture, processes and tech stack.

The team set out on a security sprint to achieve this immediately.  

“The onboarding to Jit was seamless––all I had to do was give the required permissions, and we immediately had full security coverage. It was the easiest system I have onboarded to, everything just happened automagically.”

Once onboarded to Jit, Bar led a quick  team training, demonstrating the capabilities and how to embed Jit into their regular development workflows for SCA (static code analysis), Infrastructure as Code (IaC) scanning, secret detection, securing third-party tooling and over a short period of time, added GCP Security and DAST for runtime security. With Slack alerts as their primary integration point, the developer experience was excellent, providing trust and confidence in Jit. Today, Bar sees developers leveraging the Slack integration regularly when anomalous alerts are received, commenting on them, and addressing them in a timely manner.  

The Slack integration and in-PR comments and remediations make it possible for developers to continue in their day to day work, and address security concerns in an intuitive workflow. For the most part, issues are dealt with in their native developer tooling, such as Github and CI/CD pipelines, making Jit truly simple to adopt and use.

Following the first scan, the existing findings went into the backlog for ongoing management and almost all new vulnerabilities being taken care of at the developer level in-PR. The greatest value Jit provided from the moment it was adopted was the security peace of mind going forward, with each new PR being scanned and monitored for security issues––providing developers in-context alerts to potential vulnerabilities being introduced in their code. This embedded greater security mindedness into developer workflows, and increased security control, all before merging code to production. 

“As a startup with limited engineering capacity––Jit provided us with a lot of benefits in many areas from its cost effectiveness, enabling us to achieve security with open source tooling without the research and integration overhead, through being a one stop shop to view our entire stack and its security posture in a unified place, as well as actionable security in every single PR.”

The Juno Journey team now has a lot of trust in Jit, which has generated a great improvement in their security culture and awareness, and gives them the peace of mind to deliver software rapidly knowing they have the security guardrails in place to support their high velocity engineering organization.

Instantly achieve continuous product security, from day 0