OneTrust Uses Oligo to Build Customer Confidence & Save Developers Time

The Challenge

Finding Signal in Noisy CNAPP and SCA Results

For OneTrust, a global leader in privacy, security, and data governance software with over 500 developers working worldwide, defense in depth requires multiple security tools. However, as VP of Information Security, Igor Zavulunov, enhanced OneTrust’s ability to see vulnerabilities, a new problem emerged: knowing which alerts from the new tools actually mattered.

“Many vulnerability tools, especially CNAPPs, are very noisy,” explained Joe Sanders, Sr. Director of Product Security at OneTrust. “It takes a lot of analysis time to identify the real security risk.” Igor added: “And of course, our customers hold us to the same standard. If we can see it, they can see it.” To prioritize findings that posed real risk of exploitation by attackers, OneTrust reached out to Oligo.

The Oligo Solution

The Oligo Application Defense Platform cuts through the noise of CNAPP and SCA tools by observing all application components directly in runtime—enabling unprecedented visibility into which components are loaded and executed.

“It really helped us reduce the workload that developers were taking on,” said Zavulunov. “Oligo also helped us look at where the issues were coming from on the application side, so we could actually go back and remediate the root issue.”

Unlike tools that prioritize results based on algorithms that make estimations of risk, the Oligo platform observes risk exposure directly, with proof of vulnerable functions or libraries being executed. “We can take that to our customers,” Zavulunov said. “You can say, ‘just because you have a security product that finds something, does not mean it is actually executed in runtime—all of what could actually impact you is already fixed.’ So, it really helps with assuring customers, which is an immediate value for us.”

Sanders agrees that Oligo has made it easier to demonstrate vulnerability context for customers. “Really, it just helps us do more with less, by not just prioritizing but by having Oligo to back us when we show these results to customers.”

Results & Benefits

Within two weeks of getting started deploying the Oligo Application Defense Platform,
OneTrust found 75 percent of its dependency vulnerabilities were not executed—allowing for prioritization of the discovered vulnerabilities which were executed in runtime. “This allowed us to take a more risk-based approach and focus on fixing what is actually important,” Zavulunov said.

In addition to helping developers manage the security issues backlog, OneTrust also found that thanks to its zero-day response capabilities, the Oligo Application Defense Platform was “a weekend saver,” according to Sanders.

“When there’s a zero day, it feels like it’s always on a Friday,” he said. “With Oligo, we can see right away what is actually affected and make a decision about what to do.” Granting particular peace of mind: Oligo’s capabilities to identify whether a dependency zero-day is present and executed in any application, which is beneficial to OneTrust.

An unexpected benefit of the Oligo Application Defense Platform: real time SBOM capabilities. “With Oligo’s assistance, we now deliver a more robust SBOM with each release,” said Sanders. “This enhances our transparency to customers and our ability to meet contractual obligations more effectively.”

Before using Oligo, Zavulunov says, “Our developers, cloud ops, and DevOps were on the hook to remediate within our SLAs, and it was an overwhelming amount of work including prioritization. Oligo came in and helped us with an intriguing offer: if you deploy our product, we can help with that, and you’ll be able to save a lot of that work.”

Using Oligo’s enhanced application component visibility, OneTrust is better able to meet its defined target SLAs. “That’s really the biggest goal,” explained Sanders. “Get our vulnerabilities fixed within industry standard SLAs, and then over time we shorten those SLAs.”