Case Study

How Jobcase Optimizes Cloud Security in a DevOps World

Jobcase is a “people-first’ social platform with a mission to empower the world’s workers, and with over 105 million members and 25 million unique visitors per month, Jobcase is succeeding in helping people manage and improve their work lives. The company has been helping many frontline workers during the COVID-19 pandemic, providing resources for navigating unemployment and creating filters for remote-only work.

Modernizing IT Strategy 

Patrick Hetherton, VP of Technical Operations at Jobcase, has spent the past four years helping Jobcase transform to a modern IT strategy. Traditionally, at Jobcase, the developer and operations teams worked in siloes and the processes were manual and slow. 

As user demand for Jobcase’s platform was growing rapidly, businesses realized they needed to move fast and build things right the first time through better collaboration between developer and operations teams. Over the years, since Patrick joined, Jobcase has embraced a DevOps mindset and transitioned completely to building infrastructure as code. The teams now extensively use templates, document best practices, and automate processes using CI/CD pipelines. With the automation of software development (Dev) and IT operations (Ops) processes, embedding security best practices in the mix was the natural next step for Patrick’s team. 

jobcase modernizes devops

Transitioning to DevSecOps with CloudHealth Secure State

Jobcase adopted CloudHealth Secure State (CHSS) to improve cloud security, with a focus on implementing best practices especially those required to ensure member privacy and encryption of sensitive data resources. Each team at Jobcase operates differently with unique needs, so the question was: how can we work with each team to understand their specific security concerns without slowing down development speed? 

CHSS allowed Jobcase to build out their foundation for DevSecOps success. As a total AWS shop, Jobcase started by monitoring all the production accounts with CHSS. With baseline security visibility, the team focused on identifying most critical misconfiguration risks and suppressing noise that was irrelevant for it’s teams. Jobcase also leveraged Secure State’s integration with AWS GuardDuty to better prioritize threat events and detect malicious activity. Being able to easily visualize all of the AWS services, key relationships, and associated security risks within the CHSS platform was a huge benefit for Patrick’s team. The team then set up slack alerts for developers to be notified on security vulnerabilities and built a plan to gradually remediate them. 

As Jobcase’s developer teams relied heavily on using CloudFormation templates and automated CI/CD processes, the team then focused on building guardrails that would help developers avoid critical security mistakes and build things more securely from the beginning. The team started by creating custom security checks  that prevented assets deployed using templates with significant configuration drifts from being released into production. Next, the team leveraged CHSS findings API to detect high severity security risks within their GitHub pipeline and respond immediately with remediative action. 

jobcase transitions to devsecops with secure state
 

Automation is a key piece of Jobcase’s cloud security journey and the team consistently keeps the mantra: “rapid, reliable, repeatable” top-of-mind when creating new security policies. As automation helped the team scale security controls, communication was important to ensure efficiency. 

Patrick emphasized that building and implementing automation policies takes time and collaboration is key: “It’s a marathon, not a sprint. We go back and forth with the development teams a lot to make sure we’re addressing their needs and concerns while still being able to turn out a quality product quickly.”

Jobcase shared the following tips for successful DevSecOps: 

  • Filter out irrelevant noise before pushing it down to development
  • Understand that it’s impossible to eliminate all vulnerabilities in the development stage
  • Focus on protecting accounts with sensitive data and eliminating critical vulnerabilities that are easy to identify first
  • Train developer on security basics
  • Embrace automation and build operational discipline around the usage of scripts to remove human error
     

Optimizing through COVID-19

There have been mass layoffs across the globe due to COVID-19, and Jobcase makes the job search seamless during this difficult time with a four-pronged approach: Personalization, Tools, Community, and Advocacy.

“Obviously during the pandemic there’s been a large focus on frontline workers and making sure they’re supported,” Patrick shared. Through job search personalization, resume building tools, and an online community, Jobcase is able to accommodate any type of job search, including remote-only jobs and night shifts.

“We’ve had to pivot very quickly in these times and CloudHealth has been a good mix of security and velocity that has kept us going to make sure Jobcase is meeting the needs of its customers.”

Patrick Hetherton
VP of Technical Operations, Jobcase

Check out Jobcase's full CloudLIVE session to learn how the team optimizes cloud security.