Security by design enhanced by unified observability and security

At financial services company Soldo, efficiency and security by design are paramount goals.

Safeguarding against vulnerabilities, data breaches, and emerging threats while meeting regulatory compliance and customer expectations borders on the impossible without a holistic approach. This is especially true as organizations rely more on diverse and nimble cloud-native and open source technologies.

Since 2015, the Soldo business spend management platform has provided companies with a simple and efficient way to better spend and control company money. The platform helps companies manage corporate spending using automations, card (physical and virtual), and integrations with expense management systems and enterprise resource planning (ERP) systems, such as Netsuite, Concur, Zucchetti, and so on.

“We believe at Soldo that efficiency is the key value to be very successful in the business we run,” said Luca Domenella, head of cloud operations and DevOps at Soldo. This efficiency is why he and his teams use Dynatrace for everything in their development, security, and operations (DevSecOps) practices. These practices include observability, application security, Kubernetes monitoring, and microservices migration.

Domenella’s team adopted security by design from the beginning because Soldo operates in a highly regulated industry. In a recent conversation at Dynatrace Innovate in Barcelona, Spain, with Liisa Tallinn, product manager of application security at Dynatrace, Domenella explained how it works.

What is security by design?

Security by design is an approach to developing systems that integrate security principles into the entire software development lifecycle. The goal of security by design is to minimize vulnerabilities and security risks from the outset before teams release software. By integrating security practices more tightly into software development, teams can create more secure and resilient software and systems.

Cloud native from the start

To be nimble and competitive, Soldo set out to be cloud-native at its inception. “We’re born in the cloud, we’re a cloud-native company. . . to be efficient and fast at what we do,” Domenella said. “Since the beginning, we created centralized monitoring and leveraged open source products, like Nagios, to create custom controls, and Prometheus and Grafana for monitoring.”

But as the company matured, it needed to elevate its observability game. “We needed to adopt an end-to-end visibility tool that could give us broader visibility of what was happening in our ecosystem and within the applications,” he said. “The most efficient one we found was Dynatrace.”

End-to-end observability enables security by design

“The value Dynatrace gives us is broader visibility over the full infrastructure and the key metrics that show how fast we authorize the transactions,” Domenella said.

As a Mastercard issuer, having visibility into card authorization response times is crucial for Soldo. “Only Dynatrace enables us to check if the application is running as expected and that our response times to Mastercard aren’t lagging.”

The visibility extends through smartphone applications, load balancers, web application firewalls (WAFs), and databases. With end-to-end observability, the DevOps teams at Soldo can create rules and manage workflows. These rules and workflows ensure that users can use the Soldo platform to spend money seamlessly.

Adopting security by design is fundamental in a highly regulated industry such as the payment card industry. As a result, Domenella and his colleagues have shifted security controls “left” into the development cycle. “Dynatrace gives us a lot of value because we are not perfect,” Domenella said. “There is always something that can escape the controls, especially zero-day vulnerabilities.” Data supports this. Of 1,300 organizations, 61% say it’s impossible to respond to zero-day vulnerabilities quickly enough to eliminate risk entirely.

Benefits of a security-by-design approach

This security-by-design approach has enabled Soldo to reduce mean time to recovery (MTTR) to fix new vulnerabilities. “Dynatrace App Security gives us security visibility into what’s happening in runtime,” Domenella says. “This enables us to see and fix security weaknesses in the applications and improve the product.” As a result, Domenella and his team have adopted DevSecOps practices that enable them to focus on what’s most important.

With this awareness, the security team at Soldo can prioritize which vulnerabilities to address first. “This is very important because [the team] can focus on the risk score of every vulnerability,” he said. “Because you can’t recover everything in a moment.” For Domenella and his team, security is no longer a silo. “It’s the glue between the DevOps teams because we have several development teams,” he continued. “Typically, a security team delays development until they resolve all the vulnerabilities.” At Soldo, however, the teams are integrated and invested in each other’s success.

Every week, the Soldo security teams use Dynatrace APIs to generate a report they discuss with the development teams. “This report gets all the important vulnerabilities directly from Dynatrace so developers can discuss the risk score of each.” He further noted that all of this is automatic, requiring no manual processes.

Security by design helps Soldo on its Log4j adventure

Like many organizations, Soldo was affected by Log4Shell, the zero-day vulnerability in the Apache Log4j library that emerged in 2021. Using Dynatrace, Soldo completely eradicated its Log4Shell issues in a very short time.

“Using the full suite and end-to-end visibility provided by Dynatrace, we’ve been able to find a workaround to immediately secure our systems against the Log4j exploits,” Domenella said. With end-to-end visibility and the Dynatrace real-user monitoring (RUM) interface, his team analyzed what was going on and took defensive measures through the organization’s AWS WAF. With the system protected against immediate attacks, the team developed and deployed a patch, which they rolled out to all production systems within 14 days.

“I think it’s a very good result,” Domenella added.

A security-by-design approach helps with microservices migration and Kubernetes implementation

Next on the agenda for Soldo is using the security-by-design approach Domenella and his teams have implemented with Dynatrace to migrate its legacy services to microservices architecture. “We also use Dynatrace to create the priorities for this migration because of the time it takes to fix the vulnerabilities in the old architecture.”

Another priority for the teams at Soldo is using Dynatrace end-to-end observability to shift applications to Kubernetes. “Dynatrace is the basic brick that we built in our system to provide visibility, especially inside Kubernetes,” Domenella said. “You can use several tools to have visibility inside Kubernetes, but (they) don’t have the same visibility that Dynatrace can give you, because it’s not just monitoring.”

With Dynatrace, Soldo teams can see what’s happening in a cluster and also correlate among all the applications and workloads. This includes the Kubernetes cluster itself and all the other elements running in their IT environment.