Behavox with Semmle: Code security to protect financial services data
AI-based behavioral analysis
Semantic code analysis engine
Behavox monitors sensitive behavioral data in real time using artificial intelligence to help their clients transform behavior in the financial workplace. Customer data is highly sensitive; Behavox can’t risk security issues such as unauthorized access or data exfiltration. Using Semmle’s semantic code analysis engine, Behavox CTO Roman Zelov and his team have identified more than 4X as many vulnerabilities compared to manual pen testing alone.
Founded in 2014, Behavox is an enterprise people analytics software company that provides holistic employee supervision solutions to financial services companies. Through a combination of 16 years of enforcement cases against traders and banks worldwide, and machine learning algorithms, the software allows senior management and risk and compliance officers to detect signs of insider threat activity, collusion, reckless data use and employee behavior that could indicate fraud and market abuse.
Behavox works with some of the largest financial institutions in the world, with customers throughout Europe, North America and Asia. It analyzes more than 150 types of sensitive data in real time, including email, chats and phone call records. Given the sensitive data involved in financial services, the team is especially focused on mitigating risks surrounding unauthorized access to data and systems and data exfiltration.
Behavox automatically launches software updates several times per week, and sometimes multiple times each day (in 2018, it completed 1.5 releases per day, a much higher rate than most enterprise software companies). When a vulnerability is found, Behavox treats each security patch like a product release, proactively pushing the new, high-quality code to customers. Since each release needs to meet the strict compliance requirements of the financial services industry, Behavox must respond quickly to any incident in production (delivering a release within one to two hours).
Behavox uses a pen testing agency to locate critical vulnerabilities, but their patching policy means that they need to locate and patch vulnerabilities at an incredible pace, which even automated pen testers can’t keep up with. They needed to find a security solution to effectively locate and respond to critical vulnerabilities quickly in order to meet the strict compliance and risk management requirements that govern software for financial services.
When one of Behavox’s most sophisticated clients required static application security testing (SAST), Zelov realized this was a must-have for every client. But he was skeptical about the solution his team used, and sought to find one that would go beyond SAST.
Zelov’s team evaluated 10 different code analysis vendors, and found two major factors differentiated Semmle’s semantic code analysis engine from the pack. First, the product provided greater accuracy and far fewer false positives. Secondly, its customization enabled Behavox engineers to write their own, personalized queries, which is a critical factor given the sensitive nature of Behavox’s customer data. The Behavox team likened the engine to their own code language, Blink, which finds anomalies and behavioral patterns in real-time human data, but for source code. As a result, Zelov was able to satisfy his clients’ requirements, while giving his team the extra flexibility it needed.
Semmle’s semantic code analysis engine is now used to ensure the security of every release using a dedicated development infrastructure and QA release procedure. A feature cannot be released without the engine completing a security check.
Behavox uses Semmle for continuous secure development, writing custom queries to check the code. Pen testing is conducted on a quarterly basis, and when Behavox’s pen testing agency alerts them to a vulnerability, or when one is located with Semmle’s semantic code analysis engine, Behavox developers then use the product to find all variants of the located vulnerabilities.
Behavox began using Semmle’s semantic code analysis engine in early 2019 and now requires its developers to use it across the organization. For example, from one pen testing result, manual analysis found 16 issues. Variant analysis with the code analysis engine found 70 more — including in a case that was considered vulnerability-free.
Zelov is pleased with the simple process and outcomes the code analysis engine provides his team, not only for satisfying client requirements, but also its “fortress-like” security controls. His team relies heavily on automating the pull request review process using the engine, as automated development guidelines are crucial to maintain their feature delivery speed.
He plans to start using Semmle’s semantic code analysis engine to better understand code contribution for each developer on the team. Zelov envisions Semmle’s semantic code analysis engine (acquired by GitHub in September 2019) becoming a part of Behavox’s DevSecOps agile and security-focused culture.