The Client

The client is a leading provider of risk, compliance management and analytical solutions for the financial services industry. They have more than a decade of experience in solving complex risk and compliance issues in major banks and financial services organisations across the world.

They reached out to the Orchestron team to help them build applications that were secure from the ground up. The client’s development team were building their applications primarily in Java, while our team was using Find Security Bugs, a tool natively integrated with Orchestron.

The first thing our security team did was to run a complete SAST scan on the source code for all the applications.

After our initial round of scans, we correlated the vulnerability data in Orchestron. The client’s applications were riddled with over 150 source code bugs.

Under ordinary circumstances, a development team of their size would typically spend 8 hours everyday fixing SAST vulnerabilities, which would severely slow down pace of development and delay new releases by days, if not weeks.

Group 3386

150 source code bugs found

Group 1660

8 man-hours fixing bugs everyday

Group 3716

7 unique metadata categories

Fixing the Source Code

Although Orchestron provides 7 different types of metadata—each of which are crucial in resolving security flaws—the one most commonly used to resolve source code vulnerabilities are our Good Code/Bad Code suggestions. After running the SAST scans, Orchestron automatically correlated the scan results from FindSecBugs and presented a detailed report to the client.

Utilising the numerous Good Code/Bad Code samples provided by Orchestron, the client’s development team began systematically fixing their source code flaws. A particular observation we made at this point was that if the client’s code base had even a 30-40% resemblance to the Good Code/Bad Code suggestions, they would save between 2-3 hours almost everyday. This represented a staggering 30% decrease in the amount of time they spent resolving SAST vulnerabilities.

The End Result

The client’s development team used the insights provided by Orchestron to reduce the number of source code bugs from over 150 to under 30, a sharp reduction by over 80%. Each developer were saving upwards of 14 hours fixing SAST vulnerabilities every week.

This wasn’t just a plus for their development schedule — it also meant their apps were entering the deployment stage in a more secure state than was previously possible.

Group 3386

150 → 30 source code bugs

Group 4008

80% reduction in SAST vulnerabilities

Group 1660

14 hours saved per developer every week

The client continues to use Orchestron to maintain their DevSecOps pipeline. Our security team assists them in SAST tool security automation, enabling them to resolve issues much faster with Orchestron’s detailed metadata.