Semmle at BlackLine: Securing the data integrity of financial data in the cloud
Los Angeles, CA
QL and LGTM
BlackLine is the leading provider of cloud financial software that revolutionizes the accounting and finance functions of over 2,300 organizations in more than 150 countries. BlackLine relies on Semmle to secure the data integrity of the company’s cloud product, and to share knowledge and best practices among developers, helping BlackLine improve their product and reducing time to market.
Founded in 2001, BlackLine has experienced rapid growth up to and beyond the company’s IPO in late 2016, with the demand for BlackLine’s cloud accounting software continuing to increase.
The company is trusted by thousands of organizations worldwide to optimize and improve their finance functions, which includes managing their highly sensitive and business critical financial data. BlackLine is committed to - and responsible for - securing and maintaining the integrity of that data. Failure to sustain the data integrity can have severely damaging consequences for both BlackLine and its customers.
Finding data integrity issues is extremely time consuming, and often a near impossible task even for the most experienced members of the development team. As the issues are specific to BlackLine and the architecture of their product, experienced developers had to invest heavily to look for potential data integrity issues in every pull request. When issues were identified, the architecture team would do manual reviews of the entire codebase to look for similar problems.
While data integrity is critical to operate and maintain the business, meeting the increased demand for BlackLine’s product is important to further grow the business. To meet this increase in demand, new features and improvements are continuously added, increasing the complexity of the code, while new team members join the development teams. With this in mind, Gregory Burns, BlackLine’s Director of Software Development, identified a need for the development organization to effectively adopt and comply with the company’s extensive set of coding standards.
BlackLine was introduced to Semmle and Burns immediately recognized the prospect of using Semmle QL to help find and address high value data integrity problems. “We were blown away by the power of QL” says Burns. “We were looking for specific types of issues, and with QL we immediately found them. This was exactly what we needed.”
Soon after, the team started creating queries using QL to identify and remediate variants of known data integrity issues. “We were looking for serious problems, for example related to how we do multi-threading or database connections that are managed in the data access layer,” says Burns. “No automated solution we had tried were able to find problems of this complexity, but using Semmle we became able to quickly find these types of issues across our portfolio. Within weeks this eliminated manual efforts that were consuming significant cycles of our SDLC”. The company uses a combination of Semmle’s default queries, and domain-specific analyses that are created internally. “We got a lot of value out of the box, in addition to writing our own queries.” says Burns.
BlackLine leverages Semmle LGTM to automatically highlight data integrity issues in code review, as part of their process to prevent coding mistakes from being made twice. “Any time we see something at risk as part of our development cycles, we write a query to find other instances across our code so we can address them immediately,” says Burns. “We then add those queries in LGTM and integrate into our code review process to make sure that no one introduces similar problems in the future”.
At the same time, the Core Architecture team created QL queries for BlackLine’s coding standards. The team uses LGTM to share these best practices and build knowledge across the team. “As an organization, it is paramount that our standards are always followed,” says Michal Nowak, Domain Architect in Core Architecture. “Complying with the standards lets new developers ramp up much faster, and experienced developers are able to more easily work on parts of the product that they are less familiar with.”
Building a strong culture around the product and the core value of data integrity is key at BlackLine. “We use LGTM to build shared knowledge and expertise across the organization, enabling us all to work as a team and move our product forward together.” says Burns.
With the combination of QL and LGTM, BlackLine’s developers find problems that were previously very painful to find given the manual and time-consuming process. These issues are now spotted earlier in the development process and developers no longer spend massive amounts of time reviewing for potential data integrity issues and coding standards. “Now the code review cycle can focus solely on how the changes solve a business problem,” says Burns. “The effect is that we get better productivity, better quality and reduced risk which ultimately has allowed us to reduce time to market.”
The effect does not only apply to newly developed code; By enforcing coding standards, and sharing best practices within development teams, LGTM and QL also affect the company’s software maintenance efforts. “Using Semmle to enforce our coding standards, we are able to reduce our maintenance spend drastically,” says Nowak. “On top of that, our developers are relieved of routine tasks related to maintenance work and they can now focus on the creative side of their work.”