How Policygenius Sees Through the Noise to Efficiently Identify and Fix Dependency Vulnerabilities

    • Reachability analysis helps Policygenius prioritize and fix any open source problems that could affect their code
    • Policygenius was able to get Semgrep Supply Chain up and running in a few minutes, compared to other tools which took weeks to setup
    • Scans take less than 2 minutes, allowing Policygenius to keep up the fast development cadence
semgrep-heroimage

Policygenius

Products Used

Semgrep Supply Chain

Company Size

1,000+ Employees

Software security at Policygenius

The software security team at Policygenius is responsible for making sure that their software is as secure as possible, without slowing down software development. As in just about all technology companies, Policygenius has the challenge of how to create a scalable, effective, and developer-friendly secure SDLC.

Challenges with scanning open source software

Developers leverage open source software heavily, making it an integral part of most applications. Open source software can be susceptible to vulnerabilities depending on how it is used and managed. Therefore, an open source dependency scanner is an essential component for security teams across organizations.

Jessica Grider, Senior DevSecOps Engineer at Policygenius, evaluated many software composition analysis (SCA) tools that would better fit Policygenius’ requirements of being scalable and developer-friendly. The tool that Policygenius used did not adequately support some of the key tenets the information security team values in security tooling around scalability, efficiency, and shifting “left”. Most tools Jess evaluated, including the one Policygenius had deployed, did not fit her criteria because they produced thousands of false positives, developers found it hard to prioritize the right issues, findings were sent to a dashboard on a third-party site, or the scans took hours.

Introducing Semgrep Supply Chain

As soon as r2c developed a software supply chain product, Jess, who was already familiar with Semgrep, was excited to evaluate it against the tool Policygenius was using. With Semgrep Supply Chain, Jess was quickly able to identify a pattern where developers were using a specific vulnerable function across repositories. She was not able to identify how this pattern was used in their codebase using other SCA tools. She notified the developers, and they were able to fix the issue across many repositories. That was the ‘eureka’ moment for Jess!

Using reachability analysis, Semgrep Supply Chain can determine whether the code is using a vulnerable library and vulnerable function inside the library. If it is, then the finding is deemed reachable. If the code is just using the vulnerable library but not the vulnerable function, then the finding is deemed unreachable. Reachable findings help developers prioritize issues.

With Semgrep’s reachability analysis, Jess was confident that she would be able to identify high-priority security issues quickly, and efficiently without having to search the codebase for use.

Why Policygenius loves Semgrep Supply Chain

The team at Policygenius has been delighted by Semgrep Supply Chain results. The application security team loves Semgrep Supply Chain because it easily integrates into the developer workflow, surfaces reachable findings, and scans the code extremely quickly, all while placing results in front of developers in tools they already use.

“Reachability has made prioritization so easy” - Jessica Grider, Policygenius

Unlike other SCA tools, Semgrep Supply Chain enabled a hassle-free setup within a few minutes. Reachable findings are generally orders of magnitude fewer than unreachable which enables the security team to prioritize them and have an inbox zero - unheard of in the security world! Scanning the code for open source vulnerabilities after a pull request (PR) takes at most a couple of minutes, thus enabling fast development cadence.

library-image

Developers love the fact that they see actionable, true positive findings. They can prioritize resolving reachable findings because they know that the code is truly vulnerable. The findings also include information about the exact location of vulnerable code, making it easy for developers to address the issues quickly. Thus, the security team and developers alike love Semgrep Supply Chain as it presents relevant and actionable results about vulnerabilities.

Conclusion

With reachability analysis, Semgrep Supply Chain offers the transparency to better and more efficiently understand open source vulnerabilities that the security team at Policygenius truly appreciates. Semgrep Supply Chain makes sure that developers spend time addressing security issues that actually matter, thus enabling them to build better products for their customers.

About Policygenius

Policygenius transforms the insurance journey for today’s consumer, providing a one-stop platform where customers can compare options from top insurance carriers, get unbiased expert advice, buy policies, and manage their insurance portfolio, in one seamless, integrated experience. Their proprietary technology platform integrates with the leading life, disability, and home and auto insurance carriers and delivers an exceptional digital experience for both consumers and insurance carriers. Since 2014, their content, digital tools, and experts have served as a resource for millions of people on their insurance journey, and they have sold more than $170 billion in coverage.

Bring Semgrep into your organization today

semgrep-whitelogo

Design amazing digital experiences that create more happy in the world.

App

© 2022 r2c. Semgrep is a registered trademark of r2c

Terms Privacy Issues Cookies