Zero to Hero: Continuous Security with Reapsaw

Published in

Dow Jones Tech

3 min readAug 7, 2019

One year ago, Dow Jones open sourced Dow Jones Hammer, a cornerstone for our cloud security strategy. Last week we launched tokendito, a tool to generate temporary AWS credentials. And today, our Product Security team is proud to announce the release of one of our favorite, widely-adopted DevSecOps tools, Reapsaw!

What is Reapsaw?

Reapsaw is a portable orchestration platform that brings together various security tools and is engineered to enable nimble security testing within the developer ecosystem. It’s currently configured with SAST (static application security testing) tools Checkmarx and Snyk, and bug tracking systems Report Portal and Jira.

Checkmarx will help in the identification and fixing of vulnerabilities written in code (think of SQL injection, Cross-site scripting (XSS)…)
Snyk helps in identifying vulnerabilities in open-source libraries imported in our source code (think of out-of-date version of jQuery)
Report Portal, an AI-powered automation and analysis reporting tool, helps in de-duping the results.
Jira allows bug tracking and agile project management.

Why Reapsaw?

Traditional security tools have always been complex and are not as developer-friendly as they need to be. Hence, embedding security testing into the SDLC (Secure Development Life Cycle) is often challenging and acts as a bottleneck.

Some of the common problems with these tools are:

Not automation friendly
High false-positive rates
Poor integration options
Poor execution and scan times

Due to these common issues, developers tend to ignore or disable these tools. This often results in a cultural problem, which then becomes a technology problem. Finding or building security testing tools that align well with the developer ecosystem is pivotal.

How Reapsaw can be useful?

Reapsaw packages a variety of security testing processes, techniques and qualities that are needed to mature your secure development practices, such as:

Portability — a solution that can work in any environment (developers workstation, CI/CD pipelines)
Tuning the tools — tunes your tools to identify the bugs that matter the most (reduces the amount of“false positives”)
Language support — supports multiple languages and provides playbooks for self-starters (NodeJS, .Net, Java, Scala, etc.)
Quick scans — take less than 10% of total build time (10% is our threshold, but it can vary and should be tuned according to the needs).
Normalize scan results — puts results into common format for uniformity, aggregating and de-duping the results to prevent redundant reporting
Actionable reporting — provides precise steps for developers to remediate vulnerabilities

Reapsaw also enables security teams with a plug-n-play solution that can empower security teams to add/remove security tools without really impacting the developer ecosystem. This helps in fostering confidence in the security engineering teams.

Reaping the benefits of Reapsaw :

“Reduction of Risk” is the goal of Dow Jones’ Cybersecurity team, and Reapsaw has been a strong enabler of this. We’ve used Reapsaw actively used our product development pipelines for about a year now. Some key aspects where the tool has helped in maturing the security of our products include:

Development of a consistent baseline to help prioritize security initiatives, training, awareness and strategy to tackle security bugs and design flaws.
Scaling to the ever-increasing needs of security testing. From monolithic applications to modern day microservices and serverless, it helps embedding security testing across the board.
Building a vulnerability management platform to mature analytics and visibility into security hygiene across all products in our organization.
Providing quick feedback to developers assists in vulnerability remediation.

By embedding Reapsaw into our tools, we enable our developers do the right thing: write secure and quality code.