How Kredi Kayıt Bürosu prioritizes open source security in development
Staying protected and ahead of open source vulnerabilities with Sonatype Lifecycle.
Founded in 1995, Kredi Kayıt Bürosu (KKB) is the first and only credit bureau in Turkey. As one of the world’s leading financial institutions, the organization prides itself on setting an example for others and delighting its customers through innovative products and services. But, as KKB underlines, innovation can’t come at the expense of security. This is precisely why the KKB takes open source security so seriously, and relies on Sonatype Lifecycle to protect its entire software development lifecycle (SDLC) from open source vulnerabilities.
Building security into development—an initiative from the top down
Following widespread attacks on the open source component Struts 2 in 2017, stemming from a known vulnerability, the KKB immediately recognized a need to better understand and protect it’s SDLC. As an organization that values the power that open source software brings, it also knew a similar breach would be catastrophic to the only credit bureau in Turkey.
The KKB security team, DevOps team and executive teams, all understood the importance of building protection into every area of the company. Open source security and protecting the software supply chain wasn’t just a problem for security to solve. As DevOps Engineer Emre Erkek put it, “It would become a very big problem if there was any kind of vulnerability. It is very important to the company, our architect teams, our development teams, and those other authorities and business teams. All of the teams are in parallel with the idea that security needs to be built in from the very beginning of development. It’s a business problem if it isn’t."
This mutual respect and understanding of the mission critical issues at hand, created a close bond between the security and development teams. As Erme’s colleague and Chief Architect at KKB Ufuk Tankurt noted, “We, on the development side, discuss with the security team to create critical paths forward. Security suggests something, we suggest something and then we make a unified decision on what actions to take. We then produce appropriate pipelines within the SDLC based on those conversations. We work incredibly closely as a united team.”
This need for precision and accuracy, along with reliability and ease-of-use to collaborate across developer and security functions, led the KKB to choose Sonatype Lifecycle to power their DevSecOps journey.
Precision and control matter in open source security, choosing Sonatype Lifecycle
After evaluating several software composition analysis and open source security solutions, Ufuk explains that Sonatype Lifecycle was the only one that made sense. "Kredi Kayıt Bürosu selected Sonatype Lifecycle because it has a very, very detailed explanation of the open source vulnerabilities and dependencies compared to the other products,” he explained. “When new vulnerabilities are discovered they’re reflected in the Sonatype product within hours or days. This combination of speed and depth was unrivaled, and exactly what we needed.”
As a company whose developers were also using Sonatype’s Nexus Repository Manager to manage their binaries and build artifacts, the power the complete Sonatype Platform brought to the organization was a no brainer. Further, Ufuk shared that one of the main reasons KKB chose Sonatype Lifecycle is the ability to store critical data locally, on premises. Other solutions that focus only on the cloud, don’t provide the control KKB needed to have, where Sonatype’s hybrid solution gave them the peace of mind and ownership over the product and their data, they needed to feel secure.
"An important thing for us is the support, we are very happy with the Sonatype support. We have occasionally had issues to handle and the Sonatype support team answers our questions in minutes. Actually, this is VERY important for us."
Gaining control, finding a rhythm and continued success
As KKB found their rhythm with Sonatype Lifecycle, the Sonatype support team remained, and continues to remain, in their corner. As Emre noted, "An important thing for us is the support, we are very happy with the Sonatype support. We have occasionally had issues to handle and the Sonatype support team answers our questions in minutes. Actually, this is VERY important for us."
When the KKB initially kicked off their DevSecOps journey in 2017, they started in stages but quickly moved to fully integrating Sonatype Lifecycle into their DevOps pipeline and into their CI/CD tools. By integrating directly into the development lifecycle and seeing open source code information while the project is being built, KKB developers can take immediate action against vulnerabilities or any open source code issues that may arise.
This assimilation has been paramount to the company's success with managing it’s software supply chain. In 2019, the organization kicked off a project, using Sonatype Lifecycle, to clean up dependency vulnerabilities in more than 130 projects. A daunting task, but one that now felt manageable with Sonatype fully engrained within the development organization. Over the next six months, the company stayed highly focused and prioritized fixing all policy violations within their product portfolio which amounted to thousands of different violations across those 130 projects. Using Sonatype Lifecycle, they were able to do this in a relatively short timeframe and kickoff the next phase of their transformation - staying ahead of the curve.
After gaining control of their software supply chain, KKB became even more proactive in their open source security practices, and implemented breaking builds that included code that violated company policies set up in Sonatype Lifecycle. They require all issues and vulnerabilities found in dependencies, etc. to be addressed immediately before being able to move to the next step of development . This means KKB is now seeing very few violations in production applications, because they are stopping these vulnerabilities in their tracks before they can do any harm.
Now, KKB is using Sonatype Lifecycle to truly manage open source and its software supply chain across every stage of the development lifecycle. They are scanning throughout the DevOps pipeline, staging and build area and release area. By identifying vulnerabilities both in the staging and in the production environment, KKB is able to release projects with peace of mind and focus on creating innovative products for its customers, not whether they have vulnerabilities floating around.