How SoFi empowers development velocity while reducing application risk

Highlights

• As SoFi started building out its application security program, they sought a partner to go beyond ad hoc AppSec testing, lack of application visibility, and hours spent on security design reviews.
• With Apiiro’s help, SoFi’s application security team reduced time spent identifying, assessing, and addressing new application risks from days to hours. 
• In supporting their mission to enable versus block developers, Apiiro gave SoFi the context and automation they needed to define and trigger risk-based policies at the right time in the right place.

The challenge: Supporting business velocity while reducing application risk

Like most fintech organizations that depend on agile development processes to be constantly innovating, SoFi meticulously balances its organizational goals with its risk appetite and compliance requirements. For the SoFi application security team, that means deeply understanding and mitigating application risk without slowing down development velocity. 

As a team of 16 supporting 2000+ developers across 5200+ repositories, the SoFi AppSec team knew they couldn’t possibly manually review each and every code change. They sought a partner to help them gain visibility across their application portfolio to focus on the most business-critical risks, scale their security review efforts, and optimize the time they spent fixing risks.

The solution: Visibility-first context and AppSec automation

With Apiiro’s application security posture management (ASPM) platform, SoFi’s AppSec team was able to build an exhaustive inventory of their application technologies, components, and attack surface—from repositories, APIs, and open source packages to contributor activity, material code changes, and beyond. Apiiro also provides out-of-the-box insight into exposed secrets and sensitive data in code, open source vulnerabilities, API security weaknesses, and more, giving them a single pane of glass for prioritizing application security findings.

Apiiro gives SoFi’s team continuous oversight into potential risks that need security design reviews by analyzing commits for material code changes in the context of their application. Leveraging Apiiro’s policy engine, SoFi can define exactly what they categorize as a critical business risk. Then, whenever a risky material code change or risk is flagged, Apiiro’s workflows trigger the appropriate process, such as creating a security design review ticket.

The impact: Minimizing and optimizing security reviews

Combining automation and context powered by Apiiro’s deep code analysis enables SoFi to prevent new risks without blocking developers.

• By triggering the right processes at the right time with the right context, SoFi’s AppSec team went from spending hours analyzing design reviews to 5-15 minutes.
• By tying critical risks to their relevant code owners, Apiiro enabled SoFi to reduce their mean time to remediation (MTTR) from 8 days to 10 minutes.
• SoFi’s AppSec team got near-instant visibility across their entire application portfolio, including subsidiaries, that they didn’t have before, allowing them to focus on areas to improve risk with minimal effort.