Challenge
Fiverr’s security and DevOps teams found it difficult to effectively collaborate on security goals.
Fiverr knew it had to establish security workflows that were supportive, rather than disruptive to the organization’s work.
Fiverr needed to create a common language for the security team to report out to other stakeholders in the business.
Solution
By setting clear, measurable security goals, Fiverr established a shared, trusted language for discussing security needs.
Fiverr’s security team connected Wiz to its DevOps’s project management tools to send new security findings and help developers prioritize risks.
With Wiz dashboards, Fiverr’s security team can easily capture and share up-to-date information with both collaborators and management.
Uniting security to eliminate critical vulnerabilities
Fiverr was founded to give people the ability to buy and sell digital services in the same way they can buy physical goods, and its driving mission is to change how the world works together. When Idan Pinto, DevSecOps Engineer at Fiverr, joined the company, cloud security was a collective responsibility. This meant that product teams managed their own vulnerabilities and PCI compliance was monitored and managed by another team; subsidiaries were managing their own risks. This system made it difficult for Fiverr to understand who was responsible for the associated risks, especially when it came to legacy services and deprecated tools.
Making an organization-wide change to this process was a long road, but now, Fiverr’s security efforts and their cloud infrastructure have been consolidated in AWS and GCP. This includes Fiverr’s subsidiaries, so the team has full control over the company’s security posture. Connecting all of the company’s security information with Wiz, and other security tools surfaced some critical vulnerabilities across the business.
With security management consolidated, Fiverr’s security team set out to find and remediate vulnerabilities across the organization. This information helped the team operationalize their remediation efforts by building security monitoring and discovery processes into the DevOps team’s existing work lifecycle. “The next stage for us was about taking all of our research, sharing it with leadership, and then introducing that information into day-to-day DevOps workflows without changing the way they work,” said Pinto. By collaborating during weekly meetings and integrating their security management tools together, they were able to address their largest priority risks and reduce critical vulnerabilities to zero.
We consolidated our vulnerability management process by combining our other tools with Wiz. Now we can aggregate all of our findings and notify the right owner quickly.
Idan Pinto, DevSecOps Engineer, Fiverr
Building organization-wide trust using Wiz to create a shared security language
One of the largest challenges that comes with implementing business-wide changes is making people understand why they’re so important. “We needed to demonstrate to our business partners how security was an enabler, not a disabler for the organization,” said Pinto. This process involved months of meeting with stakeholders to compare Fiverr’s existing cloud infrastructure to the version of it the security team hoped to see—a system with zero criticals in just six months.
The security team used Wiz to showcase the risks impacting the organization and informed other teams of the potential cost to the company if those risks weren’t addressed. Their weekly meetings helped the security team establish what risks Fiverr could accept and which needed to be urgently addressed. “Our approach was all about building trust with our DevOps partners,” said Pinto. “And using Wiz, we don’t have to say much. They can see and understand exactly what we’re seeing, so we can be on the same page.”
Since Wiz gives us a shared language, I can collaborate with our DevOps team during weekly meetings so we all fully understand what steps need to be taken on an issue. That might be remediation. It might be accepting a certain risk. The important thing is that we have the ability to talk about it.
Idan Pinto, DevSecOps Engineer, Fiverr
Together, security and DevOps worked from these meetings to create automated workflows to find and remediate risks without disrupting other valuable development projects. By connecting Wiz to Fiverr’s project management and communication tools—Monday.com, JIRA, and Slack—vulnerabilities are now found and being consolidated and aggregated into one place. After the security team reviews the findings, tickets are opened automatically. “Our DevOps teams are partial owners of our most critical issues,” said Pinto. “By connecting our platforms to Wiz, we can automatically create JIRA or Monday tickets to ensure the team sees them, so vulnerabilities are handled quickly.”
As new findings are sent into each development sprint, Fiverr is able to keep pace with potential risks as they’re found, and remediation work is integrated directly alongside daily DevOps tasks. The security team can then easily export data from Wiz and report progress to DevOps leaders during the weekly meetings, so the team can continue to iterate. “Taking steps toward improving our security posture is a team effort,” Pinto added. “Being able to explain to everyone what we’ve accomplished and what else we can achieve helps people understand my agenda and keeps our infrastructure safe.”
Fiverr accelerates feature development by reaching “zero critical”
The key to Fiverr’s security success has been its focus on improving team relationships. Security and DevOps are able to communicate efficiently and trust that each team is working toward the same goals. “We built trust with our teams and with Wiz,” said Pinto. “We’ve been so satisfied with the Wiz team’s support and responsiveness, and all together we’ve designed a system, made a massive change in our architecture design, and now we have zero criticals.”
Wiz also helps DevOps teams save time by transitioning from script-based scans to APIs. Being able to see and share information across teams without additional resources opens up new ways to collaboratively act on important insights faster. “It’s helpful to see that we’re saving engineering time, and we can export useful information right away,” said Pinto. “This also means our teams can focus on developing new features.” By continuing to integrate new features into workflows, and additional platforms like GitHub to more clearly identify project owners, the team can grow faster and further strengthen their security posture.
Typically, the most difficult thing for a security team is to take all our findings and pick the right one to focus on. Wiz gives us the ability to find the most critical vulnerabilities in our infrastructure to make sure we’re solving for the issues that will have the biggest impact.
Idan Pinto, DevSecOps Engineer at Fiverr
Fiverr focuses forward with more automation
Equipped with a growing toolkit and a more collaborative team, Fiverr has reached the security team’s goal of zero critical vulnerabilities, but their commitment to cloud security doesn't stop there. As the organization sets out to continue to eliminate high priority issues as they arises, it sees a new opportunity to focus on runtime and vulnerabilities in the organization’s code. This includes scanning and remediating across the organization’s CI/CD pipeline. “Getting to this point took months of change management and teamwork, but now we’re all working together toward the same goals, and it’s a win for everyone,” Pinto said.
