Software First Companies Trust Cycode
See how our customers leverage the Cycode platform to build and deliver secure applications.
Cycode Gives Kyriba the Visibility to Meet Rigorous Compliance Standards
About Kyriba
Kyriba empowers CFOs, treasurers, and their IT counterparts to transform liquidity as a dynamic, real-time vehicle for growth and value creation. Kyriba is a secure, scalable SaaS platform that leverages artificial intelligence, automates payments workflows, and enables thousands of multinational corporations and banks to maximize growth, protect against loss from fraud and financial risk and reduce operational costs. For more than 2,500 clients worldwide, including 25% of Fortune 500 and Euro Stoxx 50 companies, Kyriba manages more than 1.3 billion bank transactions per year, and 250 million payments for a total value of $15 Trillion annually. Kyriba is headquartered in San Diego, with offices globally.
The Challenge
“At our core, Kyriba is a fintech. We interface with a lot of international banking networks and because of this, there are a lot of compliance standards that we must adhere to,” says Zachary Padilla, Lead Cyber Security Engineer. The company follows a number of compliance standards including SOC 1, SOC 2, ISO 27001, and Swift, a banking industry standard.Kyriba uses Bitbucket Cloud as its Source Control Manager (SCM) and was concerned about the lack of visibility into this system. “From a compliance standpoint, we had a huge dark spot in our visibility,” says Padilla. “Our SCM was essentially a black box. It does not allow insight into raw data such as who is checking in or branching code.”
Kyriba needed visibility and monitoring around a group of engineers who had access to Bitbucket Cloud. At the time, several years ago, Kyriba was a smaller development shop. Because of this, they had several engineers who had access to code in development as well as access to physical production environments. The company wanted to be able to mark these users who could make changes to code and push it out to production as high risk so that they could be closely monitored. Without this extra layer of control, Kyriba was at risk of failing their audits for separation of duties.
At first, Kyriba tried to build their own solution. They created a system in which every file commit triggered a notification to an email address. Unfortunately, this system created a lot of noise and blew up really fast. Bitbucket Cloud doesn’t provide a lot of endpoints to connect to like other SCMs do. Kyriba quickly realized that they needed a solution that could harness the Bitbucket API and also could do filtering, a functionality missing in Bitbucket Cloud.
Kyriba considered several other vendors, but most were focused solely on external threat actors. Cycode was the only solution that provided the compliance, monitoring, and reporting that Kyriba required.
The Cycode Solution
“From the moment we looked at Cycode’s offering and started entering in credentials, we immediately started to get results,” says Padilla. “Based on the strength of Cycode’s solution, it was evident that Cycode was a better solution than trying to build our own. With Cycode, we gained a proven product and were able to hit the ground running.” For Kyriba, the open API access and visibility into BitBucket Cloud pushed the deal over the line.
Throughout the process, Kyriba found that Cycode was very responsive to their needs. “Cycode was extremely agile and willing to accept feedback on features, which really puts your mind at ease that you’re not going to be dumped into a big pile once you sign up,” says Padilla. In addition, deployment was very, very easy. “We simply gathered credentials and plugged them in. To this day, there haven't been any deployment issues. Cycode just works and it works right away.”
One of the benefits of deploying Cycode is its out-of-the-box policies. “Having the library of policies allowed us to get value right away,” says Padilla. “Cycode doesn’t require you to start from scratch. There’s no need to stare at a blank page. There’s a whole library of best practices, which you can modify if you need, then tune to your needs - maybe turn them down if they’re too chatty in a particular environment.” Padilla found that very little customization was required. “The first year using Cycode we hardly touched it. The level of alerting right out of the box met our needs.”
Based on the data coming out of Cycode, including the visibility into Bitbucket Cloud, Kyriba is able to effortlessly generate a report for their SOC 2 audits. Without Cycode, Kryiba was not able to perform the level of monitoring required. Cycode is now an integral part of Kyriba’s audit process. According to Padilla, "Cycode has become a very valuable tool for our separation of duties audit pain point."
Though compliance was Kyriba’s primary concern, the company quickly realized that there was a lot more useful data coming out of the Cycode platform. As with many companies, hardcoded secrets represent a significant risk to Kyriba, so the company adopted a phased approach. Once they had successfully solved their compliance needs, the company implemented Cycode’s Secrets and Leaks use cases to scan for hardcoded secrets.
Now Kyriba uses Cycode to continuously scan their code for secrets. When a hardcoded secret is identified by Cycode, Kryiba’s application security team notifies the solution owner immediately. If the secret is high risk, the security team advises the solution owner to use secure storage and rotate out the secret. At Kyriba, Cycode has been integrated with Jira to automatically create a ticket to ensure the change is made.
The Results
Kyriba has hundreds of repositories in Bitbucket cloud. Without Cycode, it would be very difficult to manage all these repositories manually. The single view provided by Cycode to monitor all of Kyriba’s code repositories saves significant time, resources, and money.
In addition, “Cycode’s ease of use has been fantastic,” says Padilla. “Cycode doesn’t impose itself as a system. It allows you to pay attention to what’s important - the actual credential leak or policy violation - instead of making you jump through some process that is defined somewhere else. With Cycode, it’s set it and forget it, which allows us to focus on the critical violations. Cycode doesn't eat up a bunch of our time managing it. It facilitates going about your day without having to worry about the tool itself.”
As Kyriba has grown to more than 800 employees on the engineering team, the security and compliance teams have grown significantly as well. The company has a lot more areas of concern in terms of security, and that has required more automation of systems. The feature set offered by Cycode has grown considerably over the past couple of years, keeping in pace with Kyriba’s increased needs. Despite Kryiba’s rapid growth, they have never had a problem with Cycode scaling to meet their needs. “Unlike other tools, we have never had an issue where Cycode is what’s holding us back.”
Meeting fintech’s stringent compliance standards, however, is still the biggest benefit Cycode provides to Kyriba. “Without the visibility that Cycode gives us, many of the biggest companies in the world would not do business with us,” says Padilla. “In terms of ROI, it would be pretty catastrophic to have any breaks in any of our compliance reports. To provide financial services to large companies, you have to follow the rules. Cycode has provided that pillar for us and has allowed us to pursue those largest companies and do business with them to expand our business.” As Padilla sums it up, “Cycode has provided us with a level of trust that has allowed us to grow and expand.”