LinearB is disrupting the software delivery intelligence industry, through their platform that provides insights to engineering managers based upon industry best practices and methodologies––DORA and SPACE metrics. As an exciting Series B scaleup, LinearB has rapidly grown to more than 100+ employees in less than two years, with its one-of-a-kind platform built to power elite engineering teams.
Dudu Yosef, today Director of Security - owning the CISO role, arrived at LinearB when both engineering-driven and customer-driven security requirements were becoming acutely felt, and only a single security tool in use in their engineering organization. Dudu joined the team as the 50th employee, right about the halfway mark, and discovered an engineering team with sufficient security-mindedness that needed a rapid action plan for how to secure their systems. It was clear they would need all of the typical coverage engineering organizations today employ to achieve baseline security––code, configurations and Infrastructure as Code, secret scanning, and everything else.
Jit–the Magical Consolidation Platform
It was immediately apparent that he would need to start going down the rabbit hole of qualifying the many diverse fragmented tools in the current security landscape, as he had done in previous roles. This type of qualification process can take weeks to months, as it requires defining a shortlist of tools to research and the need to qualify each for an individual PoC, as well as undergoing the PoC process itself. Once a tool is selected, the next phase requires the team to integrate and configure each and every tool individually, and even just this ramp up of each tool can take weeks to months to get the optimal results across the full environment.
And then the CTO office suggested he explore a product they were demoing called Jit. This was Dudu’s first time hearing about this product, and its promise.
LinearB were onboarded as an early design partner, and once Github integration was configured, the results were immediate, and the visibility into the full security posture of the environment quickly achieved. The MVSP security plan selected for LinearB through the design partner program–this alone included 13-14 security tools used to scan their application layer, infrastructure layer tools, DAST tools and third parties - each scan and work seamlessly together. All of these tools report to one single unified UI and dashboard that the security team can then filter, search, and analyze, which helps them quickly understand what needs to be done. Once this is easily understood, it’s just as easy to send the task directly to Jira to ensure it is handled.
This was a first of its kind experience for Dudu, who was used to having numerous fragmented dashboards, with little actionability and understanding how to remediate. It was always just a long laundry list of information, with little to know assistance on the remediation side.
Approximately a year later, LinearB now leverages Jit for the large majority of its security needs, with only a single tool outside of the scope, a CSPM. This consolidation saved the LinearB team hours of configuration, integration and maintenance time.
“With Jit, we no longer need to understand and manage a lot of disparate tools––and this is huge! Getting it all in one console is a game changer.”
At the last company where he managed security, the team was employing at least seven different tools from seven different vendors, where each reported differently, required you to go into their standalone console, understand the needs, and then hunt this down in your code or configurations without much direction. And then––rinse and repeat for each and every tool.
This is the best value his team has already derived from using Jit. The fact that you don’t need to work with a lot of different vendors––with just this comprising a lot of overhead, nor require understanding of how each of the different tools work. Now the team only needs to understand one tool, can see everything in one place, and receive both monitoring and remediation in a single platform, is an incredible bonus. It also doesn’t even require you to go into the dashboard at all!
With Jit you can receive alerts in the places developers are already working––their Slack and Github, and only go into the dashboard for ongoing maintenance and review for continuous security improvement. All of the ongoing and immediate security that needs to be handled before deploying to production can be done where the developers actually are and by the developers, without slowing them down and without requiring security expertise from them.
Jit Supports Product & Feature Security
Jit even surprised them by addressing customer-facing security demands, helping them secure an important feature that a customer demanded. At LinearB, like any fast-paced engineering scaleup, new features are constantly being designed and released, and with these, new systems brought up to support them. One of their clients had specific requirements for a feature to be applicatively tested with penetration testing, with the feature being mission critical, and a potential blocker for them otherwise.
Penetration Testing (PTs) usually require security teams to work with either third-party firms or software, to achieve reliable results, and these are also usually carried out once a year to comply with regulations and standards. It’s far from common to do these for each and every feature being developed. Instead of taking an outsourced third-party vendor, and dedicated (and costly) PT services, they simply implemented the out-of-the-box DAST control available inside the Jit platform. This was one of the strongest features they encountered with Jit.
DAST, (dynamic application security testing), is oftentimes a world unto itself in security tooling, requires specific domain expertise, and is one of the toughest tools to implement alone for it to provide value. Dudu’s previous experience with DAST tools was weeks of configuration work just to get it properly working.
When he looked through the Jit catalog of tools, to his surprise he discovered a “live and kicking” best of breed OSS DAST tool that was already pre-configured, which was a major win. Once connected by simply clicking a checkbox in the Jit platform, they ran the tool, took the findings to the customer, fixed the findings, and quickly did a retest with ZAP. The customer was satisfied with this level of applicative testing, and this saved the LinearB team time, effort and money.
Jit and SOC2 Type 2 Compliance
Another strong suit that Jit provided was the help with getting LinearB compliant. When undergoing SOC2 Type 2 compliance companies today need to demonstrate technical controls on the source control side (in their case Github). Having Jit scan each PR and enforce branch protection, covers critical SOC2 requirements. Without Jit, their last SOC2 Type 2 audit would have been significantly more difficult.
“Having Jit scan each PR and enforce branch protection, covers a lot of the SOC2 requirements. Without Jit, our last SOC2 Type 2 audit would have been significantly more difficult.”
Jit + LinearB = Security Engineering Velocity
With Jit, the LinearB team feels assured that they have the big buckets of security covered, without impacting the delivery velocity they require at their phase of growth. As their needs evolve, they have deepened usage of different features, and are able to increase their security posture over time, through the dashboards and metrics Jit provides––much like their deep-rooted belief in DORA’s speed + safety approach. For LinearB though, the biggest value is that you plug it in ‘and it just works', reducing cognitive load, and providing one less worry for their fast-paced elite engineering team.