We're a start-up. We only had about 40 or 50 developers at the time we started with Legit - and essentially, we didn't have a well-defined SDLC. We performed scanning and penetration testing, however, we didn't really have a process from start to finish to ensure the integrity of the software and to track the remediation of findings and those kinds of tasks. Legit was a green field for us in terms of selecting a technology and then to some degree designing our policy and process around it. The most important feature is the surfacing out of the noise of other scanning technologies. We’re getting out of the noisy platforms and focusing our developers on the remediation of the actual most high-risk findings. It's really focused on our efficiency in those areas. It also serves as identification of those individual instances where a developer made a mistake, where they might include hard-coded credentials or what appears to be production data used in a test script. Those are the breadcrumbs to a breach. Legit is paying for itself time and time again by finding those, and allowing us to remediate those quickly. We have it connected to over 100+ repos. The visibility is excellent. It is the primary and the only visibility that we need into the development. The reports at the end of the pipeline are great. It's complete in that sense. It's the only tool that I've seen that can put all the pieces together in terms of visibility, policy enforcement, and vulnerability identification under one pane of glass. It’s important for our organization to have this unified application security control. We are a software company, so this is the primary crown jewel of security control. Our primary risk factor to consider is the security of the software. That is the centerpiece of our attention. The unified application security control plans and risk-scoring comparisons of teams and pipelines are useful. It gives us a certain direction and, in the macro sense, I value it. Personally, I don't put a lot of weight behind the scores except for their directionality. We get a sense over time of direction, and that's very useful. For example, when a 67 goes up to a 90, I know that's a good thing, and we're making progress, or vice versa. We integrate Legit with other application tools. It's integrated with a handful of tools. We use it with our single sign-on through Okta, and then also with our code repositories, CI/CD pipelines, and ticketing systems. The incidents all go to our SEIM. Legit's ability to integrate with AppSec implications and tools somewhere else is easy. Once we've established those API connections, there is little maintenance. It’s helped our organization shift the security left. It just makes shift left executable, enabling us to shift the security controls left as far as possible is absolutely necessary. Legit helped our organization reduce the risk of attacks. Particularly, when we see things like a developer mistake or major coding error. Those are the breachable moments that Legit picks up on, and we can remediate very quickly. Legit has had a positive effect on our overall security posture. We have a very healthy posture, which importantly starts just by having completeness of visibility, knowing exactly what we have - and knowing exactly what our vulnerabilities are, and having trust in the process. On any given day there are always going to be vulnerabilities. To have that procedural integrity of the software development process, that's huge.
