Securing SDLC Practices for a Leading Health System

Feb 24, 2025

Challenge:

A leading health system required Static Code Scanning (SAST), Dynamic Application Scanning (DAST), and Software Bill of Materials (SBOM) tools to continuously scan application code and deployed systems for security vulnerabilities, ensuring compliance with NIST and HIPAA standards. Our client required seamless integration with their CICD platform, automating security gates within their CICD pipelines, and custom scanning solutions for MuleSoft to accelerate code deployment and security & compliance checks. Additionally, they sought ongoing maintenance, troubleshooting, and reporting to enhance security and mitigate vulnerabilities.

Our Approach:

We implemented a comprehensive DevSecOps framework for a leading Health System by deploying and automating SAST, DAST, and SBOM security tools like Checkmarx (SAST), Burp Suite (DAST), Feroot (client side protection), and Dependency-Track (SBOM).

To ensure continuous security enforcement, we:

  1. Integrated security scanning directly into the CI/CD pipeline with automated scan triggers.
  2. Configured security gates to block vulnerabilities before production deployments.
  3. Developed custom security solutions to scan applications like MuleSoft, expanding security coverage.
  4. Established security standards and processes to improve application security posture.
  5. Provided high-quality vulnerability reporting via Azure DevOps dashboards for proactive remediation.
  6. Developed and implemented a vulnerability remediation process. Streamlining vulnerability remediation efforts and enabling developers.

Outcomes:

  1. Introduction DevSecOps and shifting-left on security, reduced the cycle time for addressing potential vulnerabilities, by identifying those very early in the deployment lifecycle thus reducing the cost of operations.
  2. Continuous run of static and dynamic scans improved overall security posture of applications.
  3. Development and maintenance of bespoke solutions to scan applications like Mulesoft, brought all enterprise applications under same application security purview.
  4. Accelerated security benchmarking for future applications and overall confidence in deploying any changes to existing applications.
  5. Vulnerability remediation process, reduced security risks, minimizing exposure time and streamlining and integrating automated fixes into development pipelines. This allowed development teams to deliver secure software faster, with minimal disruption.