Scaling Continuous Security at Revolut

As Revolut’s product offerings continue to expand, its engineering team faces a variety of technological challenges. 

Engineers successfully addressed these challenges, resulting in new features, changes, and updates for customers. 

However, with the development of new features comes the need for increased security measures to protect their products. 

The process

The internal Application Security Team ensures the security of every new feature developed by Revolut’s engineers. 

To provide the highest level of security assurance, they’ve implemented a number of processes throughout the Software Development Life Cycle (SDLC), including automated scans in their CI/CD pipelines. 

But with nearly 39,000 commits created by over 900 authors in July 2022 alone, efficiently triaging every security finding produced by automated scanners is a challenge. 

To address this challenge, Revolut’s team has developed Security Drone, a tool that helps them provide the highest level of security assurance in fast CI/CD environments. 

Challenges faced by Revolut

The traditional approach to security testing requires the security teams which can manually review any developed features, with the help of automated security scans. This approach is no longer viable to scale, quality, and coverage as the company continues to grow.

Some of the challenges they faced include:

• New changes integrated and deployed every day
• Engineers prioritizing functionality over security
• The internal application security team not being large enough to have a dedicated security engineer for each project
• AppSec teams needing to automate work that was previously done manually
• Increased timelines for jobs due to the integration of more tools into pipelines, negatively affecting the development experience
• First solution: The classic approach to CI/CD pipeline scans
• Constant increases in software changes

Trial and error

Their initial solution was to onboard automated security scanners like Static Application Security Testing (SAST) and Software Composition Analysis (SCA) and review the findings within the AppSec team. While this solution worked, as the company continued to grow, it had to manage hundreds of CI pipelines used for security purposes. 

On average, the team observed 950 new pull requests (PR) with nearly 1.85 commits per PR every 24 hours. Automated scans were executed 3-4 times per minute, on average, against various projects. 

The chart below illustrates the number of automated security scans performed on July 14, 2022, every 30 minutes.

With these numbers, they faced another challenge: triaging all the security findings. 

These scans produced a high number of false positive vulnerabilities that had to be manually triaged by the security team. Initially, they thought that scanning every software change was not the way to go, and that they should only be scanning changes intended for the Production environment. 

However, upon further analysis, the team concluded that about 81% of commits had a final destination to the main branch. Revolut’s scanners were completing at least three successful security scans on a software change every minute, resulting in a large number of false positives.

Second solution — Security Drone

To address this challenge, the team decided to develop a Security Drone, which is a tool that helps them provide the highest level of security assurance in fast CI/CD environments. 

The following tools are used in Security Drone:

• Semgrep — Static Application Security Testing
• Snyk Open Source — Software Composition Analysis
• Checkov — Infrastructure as a Code

What have Revolut achieved with the Security Drone?

1. They’ve adopted a shift-left approach to security to identify and communicate security findings earlier in the SDLC, before going into testing or production environments
2. Security issues can be fixed before going into production, and as a result, they don’t have to be manually triaged by AppSec Team members
3. Only merged security issues are reported to the AppSec Team to triage and loop into the vulnerability lifecycle process
4. Lowered false positive rate by carefully choosing the SAST solution and continual tuning of rules. This enables them to achieve a ~3.8% FP rate!
5. Their centrally managed scanner currently scans 100% of the code in Revolut, which saves hundreds of hours of manual reviews. Here are some numbers from the last 24 hours:

• Nearly 1700 pull requests were scanned

• Over 3900 scans associated with above PRs were performed

6. Ability to find new vulnerabilities in other applications based on patterns
7. The scans are fast and don’t disrupt the developer experience. They’re executed in parallel and scanning times are presented below:

• Median scanning time for SAST is 11 seconds

• Median scanning time for IaC is 22 seconds

• Median scanning time for SCA is 101 seconds

8. Increased security awareness and continuous learning amongst engineers. They’re also aware of the direction that AppSec is moving.

What is next?

Security Drone will always be under development as new technologies are emerging and improvements to the development experience can be made. On their roadmap, they have various points, some of which include:

• Ability to flag findings as a false positive in a developer-friendly way
• Incremental SAST scans — scan only code changes in PRs
• Integration of more security scanners and the development of more SAST/IaC rules

Credits go to every Revolut AppSec engineer involved in the design and development of Security Drone, especially:

Arsalan Ghazi, Krzysztof Pranczk, Pedro Moura, Roger Norton