Back to Case Studies
Case Study

A Healthcare Company Revolutionizes its GitHub Actions Security with StepSecurity

A Healthcare Company Revolutionizes its GitHub Actions Security with StepSecurity

Learn how this enterprise staffed with 700 engineers harnesses StepSecurity platform in their enterprise GitHub Actions environment

Runners: 

Self-Hosted & GitHub-Hosted

Table of Contents

Company Description

A pioneer in cloud technology for the healthcare sector, this company caters to numerous top-tier healthcare enterprises. Their platform, crucial for processing and storing sensitive healthcare data, demands unparalleled security. Due to their industry regulatory requirements, any data breach can have severe consequences. Therefore, maintaining the highest level of security is not just a matter of company policy, but a critical necessity in safeguarding patient trust and complying with stringent industry regulations. This company has a security conscious culture where everyone in engineering understands that security is everyone’s responsibility.

The Challenge

Transitioning from Jenkins, the company was looking for a robust security framework for its new GitHub Actions environment. These were the key security challenges:
1. As most of the code in a typical GitHub Actions workflow comes from third-party components, the DevSecOps team was worried about supply chain attacks and other security risks due to the use of untrusted third-party code.
2. The company uses GitHub Actions to continuously deploy to their cloud environment which substantially increased their CI/CD risk.
3. Given the company wanted to use self-hosted and GitHub-hosted runners, they wanted to secure their runner environments.
4. The team had performed risk assessment of a few third-party GitHub Actions, they realized that the review process was time consuming. In addition, they were also concerned about the third-party review process causing developer friction due to delays. They were looking for a holistic solution to secure the use of third-party GitHub Actions in their pipelines without impacting developer productivity.

The DevSecOps team was looking for an effective solution that could provide static as well as runtime security, specifically tailored to address GitHub Actions-related. They tried to use their existing application and cloud security services in their GitHub Actions environment, but these solutions failed to meet their requirements.

The Solution: StepSecurity GitHub Actions Security Platform

The company selected StepSecurity as a solution to:
1. Setup a third-party GitHub Actions review process.
2. Implement network and runtime security across GitHub-hosted and self-hosted runners.
3. Setup consistent and standard set of workflows across repositories.
4. Comply with GitHub Actions security best practices

Customer Journey

Initial PoC Using StepSecurity Self-Signup on personal GitHub Account

The journey began with a lead DevSecOps engineer discovering StepSecurity due to its wide-spread open-source adoption. They did the initial evaluation of StepSecurity in their private GitHub account using StepSecurity’s self-signup capabilities.

Enterprise Proof of Concept

The lead engineer then reached out to StepSecurity to begin a PoC with their enterprise GitHub account. They worked with their DevOps team to install the StepSecurity App in their enterprise GitHub account and deployed the first StepSecurity control within minutes after that. The StepSecurity GitHub App only needs access to GitHub Actions build logs and Actions & secrets metadata, it does not require access to source code or any other proprietary data. This made it easier for the DevSecOps engineer to get buy-ins from other internal stakeholders. After trying out StepSecurity for 30-days, the team decided to acquire a StepSecurity license.

Roll out

In under two months, StepSecurity's security controls were implemented across all workflows. The company uses reusable workflows extensively and StepSecurity controls natively integrates with reusable workflows, extending control coverage across a large number of workflows with the least amount of code changes.

The company employs StepSecurity harden-runner across hundreds of their enterprise private code repositories and thousands of GitHub Actions workflows. Using Harden-Runner, the team restricted network traffic for all sensitive workflows such as the ones for deployment and building container images. In addition, the team has setup a security response process for real-time Harden-Runner alerts.

They use StepSecurity’s automated remediation platform to implement GitHub Actions security best practices in all their GitHub Actions workflows. It protects thousands of CI/CD pipeline runs every day. The StepSecurity platform helps them discover deviations from their GitHub Actions security baseline and remediates them with ease through StepSecurity automation.

With StepSecurity Maintained Actions and Action Advisor, the company has implemented a proactive process for managing new third-party actions being introduced in their pipelines. They use StepSecurity Actions Advisor for analyzing risks associated with the GitHub Actions their developers are requesting to be introduced. For risky third-party actions being requested, they use StepSecurity Maintained Actions instead.

The DevSecOps team has created internal engineering documentation so that developers can use StepSecurity services and troubleshoot occasional issues on their own without any assistance from the DevSecOps team.

Outcome

With StepSecurity, the company could implement:
1. Paved path for developers to use safe and reliable StepSecurity Maintained actions which reduces risk and improves developer productivity.
2. Real-time network and runtime security to actively block CI/CD supply chain attacks.
3. Standardization of GitHub Actions workflows across repositories.
4. Continuous monitoring of compliance with GitHub Actions best practices and auto-mated remediation.

Conclusion

StepSecurity provides security observability and preventative security controls for GitHub Actions that the company was lacking earlier. The company secures approximately 3,000 GitHub Actions workflows across more than 800 different repositories using StepSecurity. In addition, the company is projecting to save 200 developer hours/year on third-party actions security review and maintenance of forked Actions. StepSecurity was pivotal in encouraging the company transition to GitHub Actions from their legacy CI/CD platform as they could accelerate developer velocity while having better security controls compared to their legacy CI/CD provider.

Case Studies

Explore More Case Studies