Background Envestnet, Inc. is a publicly-traded fintech company with $5.3 trillion in assets and more than 18.5M investor accounts. Envestnet’s mission is to empower advisors and financial service providers with innovative technology, solutions, and intelligence to make financial wellness a reality for everyone. Envestnet has established itself as one of the market leaders in wealth management technology with its flagship advisory platform that integrates the services and software used by financial advisors in wealth management across the globe.
Envestnet’s commitment to data management best practices include continuously monitoring its wealth management platform via ongoing risk-based compliance measures that can quickly identify and remediate any compliance issues or potential failures. Envestnet is leading the way in safeguarding customers’ data by embracing world-class security measures in the delivery of its services.
Learn how Derek Fisher, Head of Product Security at Envestnet and the author of “The Application Security Handbook ”, worked with Secure Code Warrior to develop a holistic approach to reduce vulnerabilities through agile secure code enablement for his developer teams. Derek has been working in application security for over a decade, where he has seen numerous security successes and failures firsthand, and brings his singular expertise in developing a secure code learning environment for developers at Envestnet.
Situation When Derek first came into his position in Application Security, he wanted to go above and beyond the OWASP top ten and basic compliance training. They had some Secure SDLC processes, but they were largely focused on finding vulnerabilities, not necessarily addressing them at the source.
According to Derek, “We’re all pretty well familiar with the annual compliance training that we’re all subjected to in any organization. It’s usually what I call ‘death by Powerpoint’, a bunch of slides and maybe an assessment at the end... just really ineffective and time-consuming. We had training, but it was the usual compliance based with some specific-to-security training that was slide/audio recording based. We noticed that developers weren’t very engaged and learning from the materials, so we had to shift our strategy.”
This legacy strategy of simply training developers through passive, OWASP-focused compliance training was particularly painful for Derek and his team because
they couldn’t measure the training’s impact, so instead they found themselves increasingly spending more of their time on vulnerability management.
Derek recognized that it was important to look at the source of the vulnerabilities - insecure code being shipped into production by developers - and that just throwing more tools at it wasn’t going to be the solution.
Instead, Derek and his team shifted their focus in 2020to vulnerability mitigation, with the goal of writing more secure code from the start. Derek and his team adopted a "shift left" strategy to address and remediate vulnerabilities much earlier in the SDLC, when it costs significantly less to remediate.
But first, they needed to tackle historically low engagement from developers on existing App Sectraining. He wanted to avoid just implementing a “checkbox” mentality to his secure code learning strategy and provide a more effective, agile learning experience for secure code to developers at Envestnet.
“Once I saw SCW and what it can do – I knew that amore hands-on, more interactive approach was right for us. I wanted engineers and developers to walk away from that training with more hands-on knowledge of what the actual issues are. We wanted to build that muscle memory of, ‘Here’s somethingI’ve seen before in training, I know how to approach this coding issue that I see.’ The Secure Code Warrior platform has allowed us to provide that type of environment in which engineers and developers can get in there and really understand what are the good secure coding practices, what bad ones look like, and how to resolve vulnerabilities quickly.” Derek Fisher, Head of Product Security at EnvestnetAction Derek was particularly keen to implement a belting strategy that rewarded secure code up skilling with certifications. The four-level program would focus on building a strong foundation of security awareness (levels 1 & 2) and then pave the way for developers to become security champions (levels 3 & 4). This solved the problem of not being able to measure how developers were retaining secure code concepts while ensuring that security-aware developers had a career path towards advancing their skills with more complex security challenges.
They tested it out in a small pilot and solicited feedback from developers that were involved. Feedback was highly positive. Derek noted,
"You don't always get positive feedback from those things - I can't stress that enough anytime you get positive feedback on training - that's unusual. That’s a good indicator that this is the right tool.” Envestnet hosted its first tournament in the Spring of 2021 and noted more positive results from a developer engagement perspective. Derek then launched a series of courses integrated into their LMS for DB, Front End, API, andCloud developers. By the time Envestnet hosted its second tournament in the fall of 2021, the total number of developers participating had doubled.
According to Derek, Envestnet saw great traction with tournaments because,
"We all know that competition is a motivation. We all want to make sure our peers recognize how well we’re doing in certain things and it really motivates people to participate and do well in those tournaments. That and integration with our dev tools really showed us Secure Code Warrior's value.” Derek and the team also worked to integrate Secure Code Warrior with Jira so that when certain vulnerabilities came up repeatedly, the developer could access immediate remediation advice right inside their Jira ticket, and without leaving that familiar environment. This gave developers valuable context as well as in-the-moment, on-demand education on how to address that vulnerability, right where it was needed, and at the point of impact. Derek’s team also worked with Secure Code Warrior to sponsor a Security Day event, which led to broader CEO support and reinforced the importance that engineering and security play in the success of Envestnet. With this type of executive and developer buy-in, Envestnet was able to expand its program to what it is today. Now, Envestnet has enrolled all their identified Security Champions in the program and 60% of the entire team has completed their Level 1 or 2 certification.
Results One way Envestnet measured its success was to look at the teams that had gone through the SCW learning experience and measure if they were producing fewer vulnerabilities and/or fixing vulnerabilities faster. What they found was impressive:
SCW-educated developers fixed 2.7x more vulnerabilities than their peers 100 SCW-educated developers fixed 450 vulnerabilities in a short span of time 1,200 SCW-educated developers enabled Envestnet to increase remediation by 120% in their respective queue In one year across two product lines, SCW-educated developers closed issues with vulnerabilities at a rate of 4.5 per developer, compared to their peers who only closed vulnerabilities at a rate of 1.82 per developer All Security Champions went through their certification program in 2022 60% and counting of Security Aware developers went through Levels 1 & 2
Key Takeaways Derek offers this advice to those starting their secure code learning journey:
“Our job in security is to reduce risk in the organization. That’s our True North and that’s what we are always striving for. A critical vulnerability may not be your highest risk or most impactful thing to your organization. It could be a couple of mediums, a low, and a high stitched together to create a chain that is far more impactful. The more vulnerabilities that stack up over time, the more risk you’re accruing. With Secure Code Warrior, you can stay ahead and take a proactive approach to mitigate that potential chain of vulnerabilities through agile secure code learning.” Don’t just focus on testing for vulnerabilities and reporting on them - this just ends up creating noise for your developers Instead, AppSec should be a partner to developers and make sure you have their buy-in before implementing a secure code learning strategy Rome was not built in a day. Your program will need to evolve as your risk profile changes, your company changes, and your technology and tools change The most effective long-term strategy is to raise the security IQ of the people around you to reduce the overall number of vulnerabilities that are created