Case study: Improving risk profile and DevEx with automated code remediation in financial services

You’ve probably heard the phrase that every business today is a software business. Our customer featured in this case study, a large financial services cooperative, is no exception. It has a comprehensive software development organization with 6000+ developers and hundreds of millions of lines of code that consume 1000s of third-party software components across multiple applications—a massive software undertaking.

Their challenge was keeping their ‘living codebase’ operational and secure while at the same time delivering business value. Application scanning and reviews would relentlessly highlight vulnerabilities, outdated frameworks, API changes, and code quality issues. But all of this had to be handled manually by developers, competing against business value work, such as creating better experiences and new offerings for their customers. 

Despite their best efforts, the inability to address vulnerabilities and obsolescence regularly and efficiently was adding risk and technical debt that would compound daily. They also discovered that they didn’t know what they didn’t know. How could they understand the impact of all the issues if they didn’t have adequate insight into their codebase?

Our customer had a vision, though. They wanted a solution that could address two key concerns:

• First, they wanted to get better visibility into their extensive codebase—a granular understanding of the code and all dependencies across repositories—to better predict risk, impact of changes, and developer needs. 
• Second, they wanted to improve the developer experience to enable developers to innovate and create new apps instead of toiling away on security patches, dependency upgrades, and other maintenance.

“Imagine if we could fix our code automatically and at scale—what an opportunity that opens up for us!” — Principal Architect

They found the solution and a collaborative partnership in Moderne. By adopting the Moderne platform, our customer gained full-fidelity insight into their codebase and the ability to automate source code remediation at scale. They are now able to patch application vulnerabilities, update frameworks, and improve code quality with minimal developer involvement. This enables their development teams to reduce business risk and add more business value every day.

For example, from the initial proof of value (PoV) with Moderne, one of their business units was able to save 86 percent of developer time ​​migrating from JUnit test framework 4 to 5 in three repositories. They were also able to correct the vulnerabilities and security issues reported by their SAST tool on one Java project—going from red to green in two days. 

Read on to learn more about their journey and results.

Growing complexity of codebase adding risk and toil

The company’s applications are built with an abundance of third-party software artifacts plus custom code housed in many, large code repositories. Keeping applications operational meant addressing increasing changes in the code (much of it introduced through the third-party dependencies). In fact, at one point they had polled their developers asking how long their applications would continue to function if they were not allowed to touch the code. The reply was six months or less. They were continuously accumulating:

• Security vulnerabilities
• Framework migrations
• API changes
• Code quality updates
• Dead code

And what did this mean for the development teams? Managing dependencies and vulnerabilities would be added incrementally to development queues, taking team capacity away from building new functionality. Each developer would need to find a way of addressing issues in their own repositories with no standardized approach—no reuse. All of this was just barely chipping away at a very large iceberg of technical debt.

Migration work, in particular, was complicated. These migrations would typically require massive amounts of cross-team coordination and time to change the source code in 100s of repositories. Developers had to interpret the release notes for each new version of software, identify and evaluate which changes would apply to their code and tests, and manually update the code line by line, repository by repository. Because manual work is not always accurate, there can be production outages. And because manual work takes so much time, new vulnerabilities can emerge that require attention, shifting focus and slowing the work even more.

For example, the company was amidst a major, multi-year Spring Boot 1.5 to 2.7 migration, which included a chain reaction of alignment issues among framework and library versions—in both application code and tests. This migration required 12 minor version upgrades that would amass up to 1,200 changes (of dependencies, properties, configurations, classes, etc.). During the Spring Boot migration work, a newly discovered vulnerability in Spring boot 2.3 created an “all hands on deck” situation, making the team switch gears to prioritize upgrading those apps at risk.

Adding to the complexity, a JUnit 4 to 5 migration was required for the Spring Boot 2.4 upgrade. The development team had been in the process of manually, incrementally migrating JUnit tests side-by-side with the business logic of the application for 18 months (and were only 20% complete). 

Between added toil and juggling work priorities, developer dissatisfaction was on the rise. Too much of their workstream was becoming remediation of code that was completely outside their control (yet they were often blamed for all the associated issues). Unfortunately, due to business priorities, they were rarely given the bandwidth to adequately manage dependency updates and migrations, which meant that they were always behind.

None of these realities were acceptable to the team. They simply could not keep up with the ever-evolving software ecosystem. They had to find a better way.

Traditional code search tools coming up short

Our customer needed to find a code-search and transformation solution that could provide rich insight into their codebase, as well as the automation to replace manual work of developers. They reviewed internal tools and traditional code-search and analysis tools, like Sourcegraph, but determined these were lacking in code “intelligence” and still required developers to manually remediate the code. 

More specifically, tools like Sourcegraph are built on vertically-scaled infrastructure (a relational-type database) by indexing the code in the database and querying it with a new domain-specific language. The search lacked scale and precision—not providing the level of code intelligence the organization required. 

And the ‘transformations’ promised by these tools were more surface changes, such as updating library versions in build configurations. Sourcegraph offered batch changes that included running scripts and issuing pull requests (PRs). But it still required developers to research and create the scripts (which can be the lionshare of transformation work).

While marginally helpful for developers, these types of tools could not sufficiently impact the developer experience.

Moderne as data warehouse for code with automated remediation

Then they discovered Moderne, and a great partnership was formed aimed at achieving the company’s innovative vision for reducing risk and improving the developer experience.

Moderne offered the capabilities to be the center of ‘code intelligence’ for the company. The Moderne platform can ingest 1000s of repositories of code and quickly traverse the code to provide insights. The solution is based on a lossless semantic tree (LST) data structure that is built at compile time with all the direct and transitive dependencies included. This rich data view enables users to analyze and manipulate the data collected daily on their code repositories.

Here are eight key benefits our customer is realizing with Moderne:

1. Always having the most current, accurate view of the codebase at their fingertips
2. Automatically finding vulnerabilities in the codebase when they are declared and auto-remediating at once—issuing commits or pull requests
3. Regularly updating software and third-party libraries across thousands of repositories, making sure users have the latest version
4. Understanding the full impact of new API versions and providing an automated path to update for API consumers
5. Improving the response time to business partners to produce an impact analysis
6. Providing developers with knowledge about the state of health and remediation of a code repository
7. Using open-source search and transformation recipes from the open source community, and creating custom ones for their organization as needed 
8. Building software development best practices around code automation that increase developer satisfaction

They also feel confident using Moderne because it offers a single-tenant platform with the security of an on-premises solution and the ease of use of a SaaS solution. Moderne is SOC 2 Type 2 certified and manages access and encryption through the customer’s security controls. 

Results: Code remediation in hours/days not months/years

Our financial services customer is seeing immediate impact from Moderne’s automated source code remediation across their codebase. 

Remember those SAST security and vulnerability issues that were ranking low? Our customer was able to move security issues for one business unit’s codebase to a steady green with Moderne’s continuous remediation—a conservative 74 percent time savings for the team. They also saved 94 percent of time removing code smells across 194 repositories.

What about that JUnit migration from 4 to 5 that was on its 18th month? In the proof of value (POV) trial with Moderne, the organization resolved their JUnit migration on three different projects in days—a conservative 86 percent time savings for the team. 

They also performed an impact analysis on what it would take to migrate from Spring Boot 1.5 to 2.7 on one project. They estimated that manually it would take the team 70 hours, but with Moderne they could achieve it in 17 hours or less—an 80 percent savings.

And there were more amazing insights. Through examining the dependency vulnerability data that the Moderne platform produces, the organization could see what it would take to remediate all vulnerabilities in their codebase from small version bumps to major migrations. They estimated that roughly 20% of the vulnerabilities in the third-party dependencies would require major framework migrations, and they can now take action to upgrade with automation, preparing and distributing recipes. 

We’re also excited that our customer is working with open source software (OSS) vendors and security researchers to contribute search and transformation recipes that add to the ecosystem of migrations that help everyone automate. Pro tip: ask your library vendors for migration automation!

Check out the infographic summary of this case study.

And contact us to see a demo and learn more about how your organization can benefit from using Moderne.