LoudNClear is an early-stage startup looking to disrupt the customer intelligence market, through unique AI capabilities. By aggregating data from the most common business platforms such as Salesforce, Hubspot, Zendesk, Intercom and even social media platforms, they can quickly assess through their advanced technology whether your customer is about to churn or ready to expand usage and upsell. Their clientbase is comprised of Series A and B startups looking to ensure their customer’s success, and capitalize on opportunity.
Max Gorelik, CTO and Co-Founder, is ramping up a team of elite developers to be able to power the AI and automation their platform is built upon. With a typical cloud native stack––on AWS, running serverless and microservices architecture, using Pulumi for their Infrastructure as Code, and basically all of the best of breed databases (from Redis to Elasticsearch). They wanted a security solution that could provide a real-world stack with robust coverage from Day 1. This is where Jit was a game changer for LoudNClear.
With minimal effort, in his words “you simply enter your credentials and it just works”––Jit immediately starts scanning your existing assets, continues to monitor your stacks on an ongoing basis and alerts when changes introduce security risk, and really for Max, just makes him feel safe. Jit makes it as smooth and simple as connecting your AWS, Github, and your website to do DAST through ZAP, and you’re all set.
“It’s like Jit is made for dummies (in a good way!). You don’t need to maintain it, nor configure it all the time and have to control the controls. That’s really convenient - and the people are just amazing - that’s a bonus.”
Having gone through a manual SOC2 process right before onboarding with Jit, Max felt the direct impact of having to manage such a process himself––and it was painful. Even through automation platforms he found himself having to invest a lot of effort to constantly maintain and configure policies and controls, to the extent that it almost felt like a full time job with endless chores to attend to. Without a dedicated security team, and as the primary person focusing on security (alongside everything else – from engineering to DevOps), it was very cumbersome to get through the compliance process.
“The ability to automate so much of the frustrating Application Security part of SOC2 after having done it manually before, was such and immense time saver a relief.”
This is why Jit’s continuous security approach was really a much needed reprieve from the overhead. It was really convenient and simple to onboard the team, configure the dashboards relevant for each team, where each is responsible for different components in their microservices architecture - from the code through the infrastructure and runtime. By getting alerts in platforms they are already using like Slack and Jira, it was very easy to understand how to quickly fix issues as they arise and continuously keep track of their security posture.
As the only one responsible for security, it’s always a pain to have to run after developers to ensure they write, deploy and run secure code, as well as follow up on alerts they receive. What ends up happening in most early stage startups, is that most of the time you either don’t do it, or you do mega sprints twice a year to address your growing security backlog and debt.
With the transparency made possible through the Jit platform, everyone sees new vulnerabilities introduced, and once a developer understands that a security issue is found in the components they’re responsible for, it instills a feeling of responsibility on their shoulders. This is no longer just “coming from the top” and the CTO having to propagate the issues and open Jira tasks. What’s more, with the Jira integration, it’s even easier to assign fixes and automate ticketing.
“The best thing about Jit is that it is continuous - you’re constantly being monitored. Especially with security being very daunting, you feel you need to constantly worry that everything is secure. So you put it in the bottom drawer, and then open it for your audit and it explodes in your face. So Jit makes security a lot less scary.”
The team is happy they found a platform that is native to their workflows and enables them to code securely, and to quickly remediate issues as they are discovered. With other tools you’ll get alerts and you need to just “go figure” - when it comes to the solution. By suggesting immediate fixes in Github, the developers find it super neat and useful. Which is “part of the magic”, says Max.
This also embeds greater security mindedness and culture, as there is now a culture of security review - like code review. When new issues pop up, developers immediately see it as a comment in their PRs and are able to quickly remediate, before it’s merged to production. In addition to this, they have a weekly review of the findings, and if something severe pops up they can schedule its fix as soon as possible - and not have an overly long exposure window.
Once they had a severe vulnerability found that Max believes they wouldn’t have found otherwise, possibly in an annual pentest for SOC2, or worse if something terrible would happen like hackers mining bitcoin on their servers.
Max’s dream for Jit and LoudNClear is for it to be a platform that serves as a single space to manage all security stuff. He would love Jit to make it possible for teams to just do an export, when their annual SOC2 audit comes around, and send it to the auditor without having to think about it. That would be the holy grail––and he believes Jit will get there.