Software First Companies Trust Cycode

Summery

Unity, a global leader in real-time 3D software, faced significant application security challenges. Growth through acquisitions had resulted in a complex application portfolio, multiple source code management (SCM) systems, and fragmented security scanners. Unity struggled to ensure application security testing coverage and guardrails were in place. Furthermore, a homegrown ASPM tool proved difficult to maintain and lacked key capabilities.

Unity needed to consolidate application security testing, software supply chain, and application security posture management (ASPM) capabilities in a single platform that enabled them to build and integrate tailored tools and processes.

By replacing multiple point solutions with Cycode, Unity doubled security tool coverage across the application portfolio, streamlined prioritization, and boosted developer engagement. Unity leverages Cycode’s API to optimize workflows for project creation, ownership mapping, risk prioritization, and ticketing. This has resulted in more efficient and proactive remediation of application risks across a complex, multi-SCM environment.

About Unity

Unity is a premier technology company renowned for its platform, enabling the creation and operation of interactive, real-time 3D content. While initially known for game development, Unity's extensive acquisitions have expanded its offerings to include a comprehensive suite of capabilities such as chat services, advertising technology, and virtualization. This expansion has broadened its reach beyond gaming into diverse industries like manufacturing, design, government, and medical, serving a wide array of customers globally.

The Solution

Unity’s selection criteria were clear: mature scanner technology, broad integrations, ASPM capabilities, a great developer experience, and a flexible API for custom automation. After thoroughly evaluating several vendors, Unity selected Cycode due to several key differentiators:

• Enterprise-Grade Scanning: Cycode's SCA capabilities were comparable to industry benchmarks like Snyk, offering robust scanning alongside significant ASPM value.
• Extensive Integrations: Its compatibility with existing tools such as SonarQube and Orca, combined with seamless integration across Unity's diverse SCM landscape (Plastic SCM, GitHub, GitLab, Bitbucket), was a critical advantage for Unity's complex environment.
• Developer Experience: The intuitive nature of Cycode's UI was anticipated to foster greater adoption and engagement among Unity's engineering teams.
• Rich and Flexible API: Cycode's API was a decisive factor, empowering Unity's internal engineering teams to build custom orchestration and automation. This allowed for effective bridging between Cycode's capabilities and Unity's unique operational environment.

The successful transition to Cycode was made possible through close collaboration between Unity and Cycode, demonstrating a strong partnership built on open communication and proactive issue resolution. Unity continuously challenges Cycode to optimize scanner performance, particularly for large monolithic applications and repositories, and actively engages in discussions regarding API stability and web interface performance. This ongoing collaboration ensures Cycode’s product capabilities evolve to meet Unity’s exacting standards, fostering shared success.

The Results

The implementation of Cycode fundamentally transformed Unity's Application Security program, yielding significant technical and operational improvements and fostering a more engaged security culture.

Doubled Security Tool Coverage and Compliance: Cycode dramatically increased Application Security tool coverage across Unity's repositories from approximately 45-50% to nearly complete. This provided centralized, clear data on scan status and finding resolution, strengthening Unity's SSDLC compliance measurement and offering unprecedented visibility.

Streamlined Onboarding and Automation: Cycode dramatically simplified repository onboarding, enabling Unity to rapidly deploy its entire code structure into the platform through automation. PR scanning became a "turn the switch" operation, embedding security checks earlier in the development lifecycle. Unity leveraged Cycode's API to integrate its internal services, such as:

• Code Ownership: Accurate and validated ownership information was automatically fed into Cycode, overriding default settings.
• Project Creation: Organizational data was used to automatically create and synchronize project structures within Cycode, facilitating rapid deployment and ongoing management.
• Custom Risk Scoring: Unity enhanced Cycode's native risk model by integrating its own business risk calculations using Cycode's labeling features. This allowed for tailored Service Level Agreements (SLAs) based on factors like critical functionality (e.g., PII handling, payment processing, API gateways), providing more relevant remediation priorities.
• Ticketing Automation: Unity integrated its custom "Ticketmaster" service with Cycode via webhooks to automate the creation and assignment of tickets for high and critical findings in Jira On-Prem, accommodating complex custom fields and maintaining a two-way sync.

Boosted Engineering Engagement: Engineering teams responded positively to Cycode's intuitive UI, leading to increased direct engagement with security findings. This resulted in a cultural shift, with engineers showing greater willingness to proactively resolve issues directly within Cycode, even for findings not automatically ticketed by the security team.

Ultimately, Cycode transformed Unity's fragmented application security landscape into a unified, efficient, and developer-friendly program, significantly enhancing coverage, streamlining operations, and fostering a proactive security culture.

See how Cycode can improve your Application Security Posture and Developer Experience. Learn more at www.Cycode.com