Cresta Reduces Vulnerability Numbers by >99% with Oligo Security

The Challenge

Building Security (and Security Culture) At Scale Fast

When Robert Kugler became Cresta’s first security hire in 2021, his priorities focused on driving immediate security gains. “It was important to get stuff done really fast — you want to set up basic processes and procedures that enable the business to move faster, then start slowly to instill some security culture.”

About a year after taking the security reins at Cresta, Robert (now Head of Security & Compliance) was feeling frustrated with the state of existing products designed to check for vulnerabilities in open source libraries. “All the SCA products in the market are very expensive and nearly useless — they’re the most hated tools in security because it’s just too much noise.”

What’s more, Robert says the number of findings generated by SCA tools could generate confusion and unrealistic expectations from auditors and key stakeholders. “Every security leader has a problem today where dependencies are a nightmare full of vulnerability findings, while most auditors don’t understand how complex — even impossible — it is to have zero vulnerabilities,” he said.

Robert worried that these challenges could lead to misalignments with Cresta’s engineering teams, with approximately 70 developers. “There’s a security misconception that you need to just patch everything, regardless of if it is relevant or not,” he said. “That makes you an enemy of the engineering team.”

“The engineers’ job is to generate ARR by working on features, not doing validation work for the security team,” he explained. “If you dump a giant amount of work on your colleagues all day but you never even validate all the stuff you’re dumping on someone else’s plate, you don’t create a loving relationship.”

The Oligo Solution

When Robert first encountered Oligo Security, he said he found its unique approach “refreshing” right from the start.

“Oligo’s founders have a very valuable idea, and they have the technical background to execute on it,” he said. “When you’re a CISO you see a lot of demos for products that are basically pie charts that give you more ‘visibility’ and look like they should be used by an MBA, not a security leader, but Oligo is very different. It is a real engineering solution to a hard problem.”

Soon after watching Oligo in action, Robert knew he wanted it for his own teams. “Oligo is super useful because it enables teams to get prioritization right and focus on things that truly matter — not just fixing whatever the tool spits out.”

Rather than computing a risk score algorithmically, Oligo’s unique, patented eBPF innovations give organizations like Cresta an unprecedented look into exactly which libraries and functions are executed at runtime — so that instead of guessing what’s exploitable, every stakeholder can see the proof they need to know whether a vulnerability is a real danger or not.

“Oligo makes it easy to see whether something is really executed or not, whether you truly use the function or not, and that’s the level of granularity you need to base your prioritization decisions on facts, not feelings,” Robert said. “No other product works like Oligo – other eBPF solutions that try to do the same thing are built by people who don’t understand the problem at the same deep level, who can’t get into the libraries and individual functions to understand that not every finding is a real vulnerability. There is no one else in the market who does this the right way, other than Oligo.”

Deploying with Oligo was surprising, Robert said, because the company was unusually responsive to customer requests and ideas.

“When I talk to Oligo about requests for product improvements, I often see it in the product the very next week — or I see an extremely detailed MVP. That’s the level Oligo works at with its customers, and that’s very rare. Usually you get lots of promises until you sign a contract, but this is what sets Oligo apart: it truly cares about customers and doing the right thing. The founders started the company with this mindset, and they’ve hired people who share it with them.”

Results & Benefits

For Robert, Oligo’s biggest initial benefits came from the unique ability to filter security findings — including those found by other vulnerability scanners — to show only the ones with executed vulnerable functions.

“Dependabot and Snyk results can look like a disaster – tons of vulnerabilities, all are critical, the world is ending,” he said. “Oligo does the same exercise, but you can filter for executed libraries and executed vulnerable functions. We were able to reduce our vulnerability numbers over 99% by limiting our focus to those with an executed vulnerable function with Oligo.”

By dramatically reducing the number of vulnerability fixes “dumped” on the engineering team, Robert said he’s been able to create an organization-wide security culture at Cresta that could otherwise have been impossible.

“Engineers don’t hate security work,” he explained. “They hate stupid work that is dumped on them because no one in security is doing the validation to see whether a problem is real. Now the AppSec team can take care of vulnerabilities as an escalation case, where we go through the legwork to draft the PR ourselves. It’s a mentality change where the security team can really start to own its work.”

As relationships between engineering and security warmed, Robert said he’s seen unique and promising indicators of an organization-wide security culture developing.

“Last week our engineers spontaneously decided to implement two-factor authentication in a single two-day hackathon project,” he said. “They came up with the idea entirely on their own, and those are the moments you realize you truly made an impact — the security culture led to those cool events and drove change in the engineering department, because they understand they’re part of an extended security team.”