In the software development process, knowing exactly which vulnerabilities to focus on and which to downplay, or ignore because they pose no significant threat, is vital for increasing efficiency and applying fixes quickly and effectively.
Security can be tricky in a DevOps environment, because if it’s applied too stringently, can keep products from being released in a timely manner. If it’s treated too passively, risks can quickly accumulate. Identifying vulnerabilities and prioritizing patches effectively becomes extremely important, because teams can strike the right balance and generate innovative software that’s highly secure.
A good example of how this works comes from one of our customers. Genesis Software Innovations or “GSI” is a software development company that designs and commercializes innovative medical-related software products that demonstrate the potential for improved patient care and reduced overall cost to the healthcare system. Their foundational Preview™ 3D Shoulder Arthroplasty Planning Software is a breakthrough tool in preoperative surgical planning.
GSI’s unique platform is designed to improve efficiencies, decrease costs, and improve patient outcomes and satisfaction. Preview™ software allows surgeons to make pre-operative decisions regarding the type of surgery best suited for the patient’s condition while providing a literal Preview™ of what the surgeon will see in the operating room. This functional visualization brings more clarity to the surgery before entering the O.R., and it also reduces the total O.R. time, which is beneficial to patients, the surgical team, and the facility hosting the procedure. As shared by Matt Miller, Senior Director, Technology Development for GSI, “our vision is to create great software tools that give medical professionals the information needed to produce consistently excellent surgical results.”
In May 2021, GSI received FDA clearance for their Preview™ 3D Shoulder Arthroplasty Planning Software. The Preview™ Shoulder Software is a breakthrough tool for orthopedic surgeons to develop pre-operative shoulder plans based on CT imaging studies. Preview™ software allows surgeons to perform surgical planning by showing a representation of the patient’s shoulder anatomy as a 3D model, allowing the digital placement of the implant into the patient’s anatomy. The program allows surgeons to optimize implant size, location, and orientation. This clearance is the first orthopedic solution under the FDA’s new QIH classification for software solutions based on Artificial Intelligence (AI).
GSI runs their operations on Google Kubernetes Engine (GKE) for software development and client deployments. Prior to engaging with Rezilion, Matt Miller and the Applications Development team had concerns about the potential security risks within their active DevOps for their AppDev lifecycles. As a company that works closely with physicians, it needs to document all of the patches being applied to software and share this information with the U.S. Food and Drug Administration (FDA) upon request. GSI’s DevOps engineers were spending unplanned time and cycles to manually identify and patch vulnerabilities throughout all stages of their software development. This was impacting their ability to focus on critical GSI product development and rollout timelines—and was not a reliable approach to manage open source and third party software vulnerability risks to GSI’s business. GSI had not invested in standard security operations tools or processes, and needed to address these requirements urgently as they were rapidly approaching the release of their solutions into the market.
Miller reached out to Rezilion to understand how our solutions could help. GSI evaluated our Validate solution and Trivy as an open source solution for scanning. Rezilion Validate was able to demonstrate that over 75% of the vulnerabilities within the GSI software development lifecycles were not a “true risk.”
Validate is now an integral part of GSI’s security sprints —the two-week period of software updating in which the company focuses on specific projects to enhance. Sprints occur on a regular basis to ensure that development and security teams are addressing all the relevant vulnerabilities.
Validate developed two customized reports for the company, a patching report and a container certification report. The patching report is used at the beginning of the sprint, so teams can understand which containers they should focus on for the current release, based on the number of loaded and high-risk vulnerabilities.
The company names the containers based on what the applications in the containers do; for example, a doctors’ portal, databases, back office, etc. They are scanned based on the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of security vulnerabilities.
CVSS assigns severity scores to vulnerabilities, enabling security teams to prioritize responses and resources based on how much of a threat a particular vulnerability is to their organizations. Based on that score the validation platform determines which vulnerabilities need to be patched first.
Leveraging the patching report, the team can better understand which packages are not loaded and thus should be kept for a later stage, and which top loaded packages should be patched during the current effort. By the end of the sprint, GSI used a container certification dashboard that shows a binary status of authorized and unauthorized containers. That’s how the team is able to understand which containers should be moved into production and which were not fixed during the sprint.
The solution provides the company with a simple binary approach to vulnerabilities—they are either a risk that needs to be fixed or they are not. There is no middle ground. Another benefit is that the development team knows exactly what risk it’s facing and how to address that effectively.
And then there is the time savings involved. By narrowing down which containers to focus on, teams can avoid wasting time that could be spent on more innovative endeavors.
Learn more about how Rezilion’s Validate can change your security sprint process, increase visibility into your true vulnerability risk, and save you time on patching.
Get Started Now
Reduce your patching by 70% or more in less than 10 minutes.
Let us show you how.