How Navan automated AppSec governance throughout the development lifecycle with Apiiro

Highlights

• Navan gained nearly instant visibility into all its components, risks, and material changes across repositories and applications.
• Navan replaced manual security reviews and alert triage with automated risk assessments and prioritization across hundreds of weekly pull requests.
• Navan shifted application security earlier in the development lifecycle with actionable, risk-based developer guardrails.

The challenge: Automating AppSec early and at scale

Like many AppSec teams, Navan’s didn’t have nearly enough cycles or resources to manually keep up with the hundreds of pull requests created each week. Even with multiple AppSec tools in place, they couldn’t guarantee that new changes were risk-free. Inundated with alerts, they also struggled to understand how constant code changes would actually impact their application attack surface.

Without a consolidated and automated way to prioritize noisy alerts, the Navan AppSec team needed a solution to reduce noise, ensure accuracy, and determine the most critical risks that needed to be remediated.

The solution: Continuous visibility and governance

Shortly after integrating Apiiro into their source control manager (SCM), Navan started getting continuous visibility into risky areas and behavior. By consolidating findings from native and third-party tools into a single pane of glass, Apiiro was able to correlate, deduplicate, and prioritize alerts to focus on what matters. By knowing what was and wasn’t a real risk, the Navan AppSec team freed up triage cycles and dramatically cut down the alert backlog.

After assessing and understanding their risk, Navan implemented automated workflows to alert their AppSec team when a risky commit or pull request was introduced. That proactive approach and Apiiro’s ability to tie risks to code owners decreased the time it took them to remediate issues.

The impact: Reducing overall application risk

By automating Navan’s application security visibility, risk assessment, remediation, and prevention, Apiiro helped optimize its team resources while reducing its overall application risk.

• Apiiro enables Navan to continuously and automatically maintain visibility across their applications and identify material changes that may create risk.
• Apiiro’s risk-based alerts allow the AppSec team to ensure that out of hundreds of pull requests each week, risky changes are identified automatically.
• With Apiiro’s built-in code security solutions, Navan can gain visibility into risks such as exposed API keys and credentials in code, sensitive data, and more at scale.