HouseRx is an exciting new startup founded in 2021 in the HealthTech industry, providing specialty clinics, such as oncology and rheumatology, and medically integrated dispensing. It also provides patients with pharmaceutical due diligence, care coordination, and prior approvals so that patients can walk out of their clinic with their ideal medication in hand. They recently raised their Series A of funding, and as a new player in a highly-regulated industry, it was clear to them from the get-go that security would be a first priority in their technical strategy.
Joshua Willis, Director of Cybersecurity and IT, comes from a HealthTech and security background, formerly FlatIron Health, that provides sanitized medical data for drug trials and other insight analysis. Before that, he was at the CIA for more than a decade. He onboarded, knowing he would need to build a security program from the ground up for both code and stack security, as well as regulatory compliance.
With an ambitious goal to change the way patients receive specialty pharmaceutical care, it was important to the founders and investors to kickstart their security program very quickly to be able to comply with leading standards like HIPAA and SOC2 and ensure their client’s data was completely secure. However, like most nascent startups, all this had to be achieved economically, without impacting developer velocity, and with a lean and agile team.
The Tech Stack
As a modern engineering organization, HouseRx was born in the cloud as a typical web application with a common cloud-native stack––running on AWS, with Github for their SCM, Terraform for infrastructure as code, CircleCI for CI/CD, and Postgresql and RDS on the backend. While Joshua’s expertise was, for the most part, in infrastructure, network, and cloud security alongside compliance (in his words, “the most boring part of security”), he knew he would need to dive deeper into application security (AppSec), to ensure they had the necessary coverage for their application and its entire stack.
This was when he started to explore the different tools in the industry, from DIY open-source tools like OWASP’s ZAP and Semgrep to commercial tools like Snyk, Shift Left, and Black Duck. Coming to HouseRX, having to understand the tech stack and the code that runs upon it, he needed something quick and affordable.
Jit vs. Others Tools vs. DIY
Joshua set to work qualifying tools in the ecosystem, and while the commercial tools provided relevant output, they had two significant downsides. They were far from affordable, costing not only per developer seat but also, at times, for the different controls in the stack to cover the entire stack end to end from the infrastructure through the code, APIs, and more. They also didn’t always provide actionable output that he could take to the developer and say - “you need to do this or fix this.”
Being economically minded, he decided to try to roll out open-source security tools himself and integrate them into his CI/CD and stacks to get the coverage he understood they needed. He got started with ZAP and Semgrep, but he found that the work he needed to invest in configuring, deploying, and optimizing the tools to get the output that he needed was a huge time sink and hard to maintain.
That was when he discovered Jit, which already came with all of the excellent open-source tools he had manually attempted to integrate with, out of the box, such as ZAP and Semgrep. Jit simply did this so much faster and cleaner, with an understandable backlog and output. In addition, it quickly integrated with the tools they were using in-house, getting alerts in both Slack and Github, making it quite easy to get alerts where he and the developers needed them.
Being a single consolidated platform that provided the full coverage for their entire stack with an understandable and unified output made Jit easy to use for him and the entire team of developers, as well as much more economical
The Jit Developer Experience
Joshua managed to onboard and configure Jit quickly himself, with the easy getting started wizard––it was simple to connect Github, and then AWS, and finally, the CloudFormation that will automatically run. He was surprised by how quickly it was done after attempting the previous DIY rollout of the same tools. It was apparent from the get-go that Jit was built with developer experience at its core, and it was really easy to translate the values to the developers.
By sharing the Jit diagram and workflow in their company Notion, it was clear to the developers where Jit comes into play in their development processes and what to expect. In addition, by providing the full stack capabilities through open source tooling that have gained industry and community trust, the engineering team was able to quickly build confidence in the platform over other proprietary security scanning tools that don’t have that same openness and community adoption. Another valuable outcome was the developers’ visibility to the alerts on their own PRs in Slack and Github, which helped them evolve their code and security practices based on these flags.
“It feels like I have a small team of security engineers who are doing the work for me automatically––just by having this platform.”
Jit also enabled HouseRx to have the confidence to hire a junior Application Security engineer who also gained tremendous value and security experience just by using Jit. All of the alerts provided detailed context about the vulnerability or security issue, enabling the AppSec engineer to deepen their AppSec expertise and even be able to offload the fixes from developers by empowering them to push fix PRs directly through the auto-remediation Jit provides.
Simplifying Regulatory Compliance Processes
Operating in a highly-regulated industry meant that HouseRx quickly had to achieve compliance with leading industry standards such as HIPAA for PHI (personal health information) privacy and safety and SOC2 compliance. Jit helped check all the required boxes for vulnerability, scanning, code, analysis, and dependency checks, and even shared different screenshots from within Jit and the comments it produces with auditors to demonstrate the real-time security coverage it makes possible.
With a lot of overlap between different regulatory standards, Jit provided the much-needed technical coverage and controls to streamline both of these compliance processes significantly.
Jit in Practice with the HouseRx Dev Team
From Joshua’s experience, Jit saved HouseRx more than once when developers committed passwords and API keys to development branches. Jit immediately flagged these, and HouseRx were able to avoid committing to production. Had Jit not flagged these, they’re not so sure they would have caught them before they were deployed. On more than one occasion, thanks to Jit’s alerts, the engineering team was made aware of these just in time, and in some cases, even had to request a purge by Github from the commit history so it wouldn’t be out in the wild.
Another real-world example is security groups. Having all of their cloud operations configured with infrastructure as code (in Terraform), oftentimes, the security groups weren’t properly configured. Jit flagged these immediately before the new misconfigured security groups could be applied to their production systems, and this also helped the engineers evolve and learn how to secure their keys, security groups, and systems better.