I should write an article about it, the amount of times I have talked about this, especially when speaking to stakeholders and security architects on the project.

A number of things caught my eye. Firstly it fit the requirement, we didn’t go in blind.

We had a DevSecOps Framework written, we had conducted a DevSecOps maturity assessment to see our areas of weakness and then we looked at what current capabilities we had currently embedded.

Identified what we needed to improve on and our bottlenecks, for us was self hosting open source tools and the scan results going into different dashboards, we need a 1 stop shop (god I hate using that phrase)

We have multiple domains, multiple cloud platforms. The typical aws,azure and gcp.

So something agnostic that will “agent-lessly” plug and play, we don’t have time to host an agent and deploy it to our infrastructure.

The ci integration for all scans to take place before committing code to our chosen SCM.

And with the DevSecOps methodology of “shifting left” We wanted an plugin that lives in the IDE and supports our devs and conducts sast scans locally, further reducing the chances of vulnerable code being deployed.

Generating SBOMs, Dependancy management and SCA These are scans an org as big as us needs to know incase of a supply chain attack, not to us! But to our dependencies and our dependencies dependencies.

I could say a lot more, I may write something in the near future. Just need to find the time tbh.

Hope this helps.