Case study
Enhancing Security and Streamlining Processes: How Chia Achieved a 70% Reduction in Open Security Alerts with Socket
Highlights:
Chia saw a 70% reduction in open security alerts across all tools, highlighting the impact of Socket's accurate and actionable alerts.
Socket's intelligence-based approach to validating libraries and scanning code was a key factor in Chia choosing it over competitors.
Chia has observed cost savings and increased developer productivity since implementing Socket.
Socket significantly reduced the anxiety around third-party libraries, even for the most conservative engineers on the team.
About Chia#
Chia is a technology startup that delivers enterprise-grade services and applications built on the Chia blockchain, focusing on a security-first approach and prioritizing regulatory compliance. With nearly 100,000 nodes across 150 countries, Chia is one of the most decentralized public blockchains on the planet. Operating in a highly public and critical space, Chia provides a smart transaction platform and issues the Chia digital currency. The company's Vice President of Platform and Security, Justin England, oversees a team responsible for IT help desk, security, platform and infrastructure, and DevOps.
The Challenge#
Chia operates one of the most popular projects on GitHub, which presents unique security challenges. The company needed a solution to manage security for a large, highly visible codebase that is widely used in the cryptocurrency and blockchain community. The primary pain points were the extensive manual oversight required to manage third-party libraries and the high volume of security alerts that often included false positives.
Prior to adopting Socket, Chia faced several challenges with their application security tools. The existing tools were effective to some extent, but they required engineers to interact with multiple platforms, which disrupted workflow efficiency.
Streamlined Workflow and AI-Powered Insights: How Socket Saves Time and Improves Developers' Confidence#
By switching to Socket, Chia was able to streamline their workflow, allowing engineers to handle 90% of their security tasks directly within GitHub.
"The thing that we really appreciate about Socket is that it works in a single pane," England said. "So all of our engineers are able to interact with 90 percent of what they need to from Socket inside of the same git workflow that we're working in already.
"We are a very big, very public open source project, and with that comes a lot of security concerns, a lot of daily care and feeding around bug reports, around bounty programs, around usage of tools like Socket. Anytime I can, I look to take the stuff that requires daily interaction and make it as easily presentable as possible."
England highlighted how Socket's AI threat detection provides assurance to Chia's security team.
"The improvements that we've seen to the tool itself since we started using it - like the AI, and learning based portions of the tool - it's going in exactly the direction of the things that we really care about internally, which is we can't keep an eye on everything," he said.
"If you dig into a lot of the stories of compromises in the past, being able to apply that sort of intelligence in the technology directly makes everybody's job - from the most senior to the most junior engineer - much simpler."
Chia Reduced Open Security Alerts by 70% with Socket #
Chia has seen a significant reduction in open security alerts since adopting Socket, which has made it easier for developers to make progress on solving the most important problems.
"Our number of open security alerts in GitHub from across all tools is down 70 percent, due to fewer false positives and faster identification of actual threats, which gives us the ability to focus on alerts that matter," England said.
"When you have 1,000 alerts come in, none of them are important. When you have 10 per week, you can prioritize them. I think that was the most important thing - having that positive momentum culture of knowing these alerts are important, let's get them knocked out. Having good data, being able to focus on the ones that are important and being able to knock them out and show progress, kind of built this psychological ground swell that brought everybody on board. It was easy to do and became second nature."
England said the biggest gains have been in quality of life, when comparing Socket's alerts to their previous tools.
"Everybody talks about how it's much easier to interact with the alerts and much easier to get good alerts out of the software," he said.
"Turned It On, It Worked": Socket's Seamless Integration Improves Chia's Developer Experience#
The integration of Socket into Chia’s workflow was straightforward. The team found the setup process easy, with defaults that were effective out of the box. The ability to manage and address security alerts directly within GitHub greatly reduced the friction associated with previous tools.
England emphasized the importance of having a "single pane of glass."
"The biggest complaint my engineers had with previous tools, aside from a bunch of reports that were not useful, was having to click through into a second interface and interact with a bunch of different configuration options," he said.
"Socket fits well, much better into our existing application stack and I think there's a lot less friction for our engineers using it. They much prefer these alerts. I honestly haven't heard a single complaint since we switched, which, I don't know if you've ever worked with senior engineers but that's an accomplishment."
England has 30 to 40 engineers interacting with Socket internally, and approximately 400 people that are active in their open source contributor community. Even with this large number of developers using the tool, Chia found it easy to onboard them.
"It was far simpler than the competition," England said. "We turned it on. We started using the interactions with GitHub actions and it worked. It is very nice, especially in modern SaaS, to have a solution that you can just turn on and it just works. There's a lot of configuration options under the hood, but I found the defaults to be very effective."
Socket has been instrumental in streamlining contributions to Chia's open source code base, making it easier to vet new dependencies before they land in the project.
"Since we're an open source project, we have people come in from the community, submit stuff from forks and things that may have included their own libraries," England said.
"Socket makes identifying the places for potential threats much simpler for our senior engineers doing those reviews and then being able to guide our open source contributors to better choices. As an open source project, tools like this are worth their weight in gold, frankly, and this one really stands head and shoulders above the other flows we've used."
By partnering with Socket, Chia has streamlined its security operations, reduced the burden of managing security alerts, and improved the overall efficiency and confidence of its development team. The comprehensive support and advanced features of Socket have made it an invaluable tool for ensuring the security and reliability of Chia’s open source projects.
Interested in Socket for your organization?
Schedule a demo with our team and try Socket.