CASE STUDY How Jobcase Optimizes Cloud Security in a DevOps World

Jobcase is a “people-first’ social platform with a mission to empower the world’s workers, and with over 105 million members and 25 million unique visitors per month, Jobcase is succeeding in helping people manage and improve their work lives. The company has been helping many frontline workers during the COVID-19 pandemic, providing resources for navigating unemployment and creating filters for remote-only work.

Modernizing IT Strategy

Patrick Hetherton, VP of Technical Operations at Jobcase, has spent the past four years helping Jobcase transform to a modern IT strategy. Traditionally, at Jobcase, the developer and operations teams worked in siloes and the processes were manual and slow.

As user demand for Jobcase’s platform was growing rapidly, businesses realized they needed to move fast and build things right the first time through better collaboration between developer and operations teams. Over the years, since Hetherton joined, Jobcase has embraced a DevOps mindset and transitioned completely to building infrastructure as code. The teams now extensively use templates, document best practices, and automate processes using CI/CD pipelines. With the automation of software development (Dev) and IT operations (Ops) processes, embedding security best practices in the mix was the natural next step for Hetherton's team.

We’ve had to pivot very quickly in these times, and [CloudHealth Secure State] has been a good mix of security and velocity that has kept us going to make sure Jobcase is meeting the needs of its customers.

— Patrick Hetherton, VP of Technical Operations, Jobcase

Transitioning to DevSecOps with CloudHealth Secure State

Jobcase adopted CloudHealth Secure State, from VMware to improve cloud security, with a focus on implementing best practices especially those required to ensure member privacy and encryption of sensitive data resources. Each team at Jobcase operates differently with unique needs, so the question was: how can we work with each team to understand their specific security concerns without slowing down development speed?

CloudHealth Secure State allowed Jobcase to build out their foundation for DevSecOps success. As a total Amazon Web Services (AWS) shop, Jobcase started by monitoring all the production accounts with CloudHealth Secure State. With baseline security visibility, the team focused on identifying most critical misconfiguration risks and suppressing noise that was irrelevant for it’s teams. Jobcase also leveraged CloudHealth Secure State integration with AWS GuardDuty to better prioritize threat events and detect malicious activity. Being able to easily visualize all of the AWS services, key relationships, and associated security risks within the CloudHealth Secure State platform was a huge benefit for Patrick’s team. The team then set up slack alerts for developers to be notified on security vulnerabilities and built a plan to gradually remediate them.

As Jobcase’s developer teams relied heavily on using CloudFormation templates and automated CI/CD processes, the team then focused on building guardrails that would help developers avoid critical security mistakes and build things more securely from the beginning. The team started by creating custom security checks that prevented assets deployed using templates with significant configuration drifts from being released into production. Next, the team leveraged CloudHealth Secure State findings API to detect high severity security risks within their GitHub pipeline and respond immediately with remediative action.

jobcase transitions to devsecops with secure state

Automation is a key piece of Jobcase’s cloud security journey and the team consistently keeps the mantra: “rapid, reliable, repeatable” top-of-mind when creating new security policies. As automation helped the team scale security controls, communication was important to ensure efficiency.

Hetherton emphasized that building and implementing automation policies takes time and collaboration is key: “It’s a marathon, not a sprint. We go back and forth with the development teams a lot to make sure we’re addressing their needs and concerns while still being able to turn out a quality product quickly.”

Jobcase shared the following tips for successful DevSecOps:

Filter out irrelevant noise before pushing it down to development
Understand that it’s impossible to eliminate all vulnerabilities in the development stage
Focus on protecting accounts with sensitive data and eliminating critical vulnerabilities that are easy to identify first
Train developer on security basics
Embrace automation and build operational discipline around the usage of scripts to remove human error

Optimizing Through COVID-19

There have been mass layoffs across the globe due to COVID-19, and Jobcase makes the job search seamless during this difficult time with a four-pronged approach: Personalization, Tools, Community, and Advocacy.

“Obviously during the pandemic there’s been a large focus on frontline workers and making sure they’re supported,” Hetherton shared. Through job search personalization, resume-building tools, and an online community, Jobcase is able to accommodate any type of job search, including remote-only jobs and night shifts. Delivering secure cloud operations is absolutely critical to Jobcase’s mission of empowering the world’s workers.

Check out Jobcase’s full CloudLIVE session to learn how the team optimizes cloud security.