Policygenius transforms the insurance journey for today’s consumer, providing a one-stop platform where customers can compare options from top insurance carriers, get unbiased expert advice, buy policies, and manage their insurance portfolio, in one seamless, integrated experience. Our proprietary technology platform integrates with the leading life, disability, and home and auto insurance carriers and delivers an exceptional digital experience for both consumers and insurance carriers. Since 2014, our content, digital tools, and experts have served as a resource for millions of people on their insurance journey, and we have sold more than $160 billion in coverage.
The software security team at Policygenius is responsible for making sure that their software is as secure as possible without unnecessarily slowing down software developers.
The Policygenius technology stack consists of:
Languages: Ruby, Java, Golang, Python
Frameworks: Terraform, Github
As in just about all technology companies, there were more developers than security engineers, which posed the challenge of how to create a not only scalable and effective but also efficient and developer-friendly secure SDLC. Due to this, Jessica Grider, Senior DevSecOps Engineer, wanted to make sure that the security shifts left and the security infrastructure is automated as much as possible. Shifting left is crucial because it detects vulnerabilities before they reach production, thus allowing developers and security teams to be proactive rather than reactive.
With this in mind, Jessica was looking for a security solution that was fast, reliable, and had very few false positives.
Semgrep to the rescue
Jessica came across Semgrep at Defcon 2021 when Erin Browning and Tim Faraci from Slack talked about how they ran Semgrep at lightning speed (3 minutes, to be precise) in their CI/CD pipeline. What stood out for Jessica was the ability to choose rulesets and create rules based on different use cases. For example, with Semgrep, XSS detection rules can be tweaked based on Policygenius’ codebase. The ability to run custom rules helps reduce the number of false positives. Jessica decided to try Semgrep.
Policygenius and Semgrep
Policygenius runs Semgrep from a docker image on a diff scan. Language-specific rulesets are run to find issues in the code. Semgrep alerts the security team through email and Slack integration if there is an issue.
The team at r2c has been making Semgrep blazing fast so that the security engineers do not have to wait for hours to get results. Semgrep met Policygenius’ speed expectations by running 600+ rules in a couple of minutes!
Reliability is high on Policygenius’ priority list. Since adopting Semgrep back in November, it has had more than 99% uptime. With Semgrep, Policygenius has been able to shift left by detecting issues before hitting production. The rule-based nature of Semgrep has enabled developers to learn about secure coding practices.
As mentioned before, Jessica was looking for a solution with a low number of false positives. With Semgrep, she found out that the false positive rate was less than 1%. Due to this low number, the team at Policygenius could focus on fixing actual security issues.
The developers don’t even know it is running!
The Semgrep App makes policy enforcement easy. Policygenius has been able to add specific rulesets for specific repositories, add new rules, and change rules easily with the Rule Board.
Jessica is looking forward to involving the developers more in the security process, thus helping Policygenius shift left. r2c introduced Developer Feedback and the Editor in February 2022. Policygenius is looking forward to integrating these features soon. With Developer Feedback, the developers can also help weed out the false positives. The Editor gives a single pane of glass to security and developer teams to collaborate on adding, deploying, and enforcing rules.
Jessica and her team are highly appreciative of the support from r2c to help boost their security posture. Policygenius is excited to utilize the power of Semgrep fully.
Semgrep is a fast, open-source, code scanning tool for finding bugs, detecting dependency vulnerabilities, and enforcing code standards.