Security Risk Advisors (SRA) is a highly specialized consulting firm working closely with large enterprises to develop sustained, strengthened security management processes to meet the strict security demands of CISOs, auditors, and boards of directors. SRA consultants do this using their proprietary (and free!) software product, Vectr.io, , in conjunction with collaborative Purple Team security testing, to record security events and results and report that data to their clients. Prior to partnering with Slim.AI, the process for removing vulnerabilities was very manual and took up quite a bit of resourcing and time. Now, the SRA team is able to ensure the containers used to build VECTR™ are free of threatening vulnerabilities, adding a deeper layer of security for their clients in less time.
Paul Spencer, Senior DevOps Engineer at SRA, built the DevOps team and all of its tools and processes from scratch over the past 3-1⁄2 years. With heightened compliance requirements from clients, and a team burdened with highly manual and time-consuming processes for building and deploying VECTR™, Paul set out to find solutions for improving the infrastructure and developing a more mature version of the software development lifecycle. Seeking to deploy modern processes like containerization, slimming, SBOMs (software bills of materials), and vulnerability management without having to largely expand his team, Paul found the ideal solution in Slim.
Paul met the Slim.AI team at an AWS Summit in New York City. “As a small shop with a small team, we need high impact tools that help us get to the solution without a lot of cumbersome setup,” said Paul. “Slim had a low barrier to entry for our team who had limited experience with Infrastructure-as-Code (IaC). The speed and ease with which we could integrate with the Slim platform made it a low risk, high reward tool for us.”
The experience of SRA’s development team tracks with findings of the Slim.AI Public Container Report 2022 in which approximately 70% of developers surveyed said they were expected to deliver software with zero vulnerabilities, yet only about one quarter of those developers had the skills to slim or harden their containers for production use. With large enterprises tightening security and compliance requirements on every level, especially Fortune 50 companies like those working with SRA, the proven security of software solutions being used is a top priority.
Implementing automation into the CI/CD pipeline was easy with Slim and saved the SRA DevOps team from the minutiae of implementation that was part of their previous process, and remediation time was significantly reduced. CLI, which is the primary way to get containers in and out of the Slim platform, was very direct and clear for the developers. Slim continues to add functionality, specifically the addition of vulnerability scanners Grype and Trivy, that is proving valuable as the SRA team focuses on the continuous improvement of their cybersecurity defenses.
“It’s easy to get started with containers,” said Paul. “It’s much harder to get mature with containers. Slim’s container optimization platform is the tool that paves the way to get there. Slim required very little investment on the front end to prove its value.”