Software First Companies Trust Cycode
See how our customers leverage the Cycode platform to build and deliver secure applications.
Rapyd Uses Cycode to Scan for Secrets and to Secure Their Software Supply Chain
About Rapyd
Rapyd is the fastest way to power local payments anywhere in the world, enabling companies across the globe to access markets quicker than ever before. By utilizing Rapyd's unparalleled payments network and Fintech-as-a-Service platform, businesses and consumers can engage in local and cross-border transactions in any market. The Rapyd platform is unifying fragmented payment systems worldwide by bringing together 900-plus payment methods in over 100 countries. Rapyd's investors include Stripe, General Catalyst, Oak HC/FT, Coatue, Tiger Global, Durable Capital, Latitude, Target Global, and Tal Capital.
The Problem
Several years ago, Rapyd became concerned about developers hardcoding secrets in their source code and wanted to eliminate the problem. The company also wanted to secure its software supply chain given the sharp increase in the number of high-profile software supply chain attacks. Rapyd knew that any secrets in code would present a huge liability if their supply chain were ever compromised, so they wanted to solve both problems at once.Rapyd decided to evaluate solutions that could offer both secrets scanning and software supply chain security. Rapyd uses both Bitbucket and GitHub, so they needed a solution that easily integrated into both source control managers. Furthermore, as a fintech company in a highly regulated market, Rapyd chooses best-of-breed security solutions to secure their platform, so they wanted a solution that really stood out. Finally, Rapyd was highly concerned about generating more noise for the security team to deal with so they wanted a platform that would give highly accurate results.
The Cycode Solution
After evaluating several tools, Rapyd chose Cycode because the broad range of its solution covered hardcoded secrets, code leaks, and software supply chain security. Being able to gain visibility into their CI/CD pipeline was a huge advantage for Rapyd.
Rapyd also liked that Cycode had developed its own scanners. “We evaluated several vendors that either didn’t have their own scanners or their scanners created a lot of noise,” says Erez Mor, Director of Security Engineering at Rapyd. “Cycode really has developed a lot of in-house scanners that are built in a better way than the market standard.” Because of Cycode’s high-quality proprietary scanners, Rapyd deals with far fewer false positives compared with other solutions that they have used in the past. Fewer false positives means that the security team is more efficient and is able to focus on the issues that represent real risk.
Since implementing Cycode, Rapyd’s software development process now includes scanning for secrets before code is merged into the main codebase. This has had a significant impact on the way in which developers write code. Because Rapyd is consistently scanning for hardcoded secrets and developers know they will have to remediate any secrets before they merge code, the practice of hardcoding secrets has virtually stopped.
Though Rapyd initially adopted Cycode for hardcoded secrets scanning, leak detection and CI/CD security, the company has expanded into other use cases as well. Rapyd now uses Cycode as its Software Composition Analysis (SCA) solution. Developers scan their code for open source vulnerabilities as part of each pull request. If an issue is found, the security team assigns a Jira ticket to the owner of the affected repository for remediation. Cycode helps Rapyd use open source libraries to develop more secure code. When a vulnerable open source component is identified, Cycode helps Rapyd prioritize and remediate the vulnerability.
The Results
Cycode has given Rapyd’s developers a seamless experience and has provided the security, DevOps, and architecture teams with complete visibility into the various processes they manage on a daily basis. Cycode has been integrated into many points throughout Rapyd’s SDLC, including their source control systems, CI/CD tools like CircleCI and Jenkins, and more. “All the security teams at Rapyd started to work with Cycode as one of the main solutions in order to constantly improve our overall security posture,” says Mor. “Cycode allows us to see the different systems across the different software development pipelines.” By eliminating hardcoded secrets and providing full visibility, Cycode has helped Rapyd to significantly reduce risk.
Because Cycode offers a comprehensive platform, Rapyd is able to do more with one solution. With Cycode, Rapyd has best-of-breed secrets and leaks detection, CI/CD security, and an SCA solution. “Over the last year, tool consolidation and saving money has become more important. With Cycode, we can do a lot on one platform,” says Mor.
“At the end of the day, Cycode gives each team more focused visibility on the things they are responsible for.” This reduces the friction between teams and increases productivity when resolving security issues. “One of our internal goals is to increase collaboration between security and R&D,” says Mor. “Cycode helps us achieve this by improving our workflows and reducing the noise generated by security so that both engineering and security teams are more efficient and work better together.”
“Cycode provides us with great visibility across the developer and devops pipelines. Cycode can also complete the cycle and provide you with the visibility to your cloud workloads so you have complete visibility from code to cloud.”
