Cresta’s Commitment to Security with GitHub

The contact center is the front door of today’s businesses. Whether it’s buying a product, resolving an issue, or renewing services, customers are increasingly engaging a business’ contact center, especially in today’s hyper-connected era. But too often the experience is frustrating—waiting on hold, trying to navigate a menu of prompts, struggling to connect with a human, and then more waiting while the agent reviews your information and finds an answer. The fact is you can make or break a brand in a single conversation. Enter Cresta, which provides AI-driven real-time intelligence for contact centers creating better conversations and customer experience.

The Cresta platform provides dynamic, real-time coaching for support agents, learning and then amplifying the best practices of the top performers across a team. It’s able to identify customer sentiment—ensuring compliance, providing smart responses, and more. It also lets managers see and track every conversation and agent progress, driving a better customer experience for contact centers.

Cresta’s 65 developers comprise nearly 50 percent of the company’s staff and they are laser-focused on delivering a better solution to the customer as fast as possible. At the same time, they need to ensure their code is highly secure. There’s a natural tension between the need to iterate quickly and the need to evaluate code for bugs and vulnerabilities. Customer-oriented companies want to continually ship new features. However, Senior Security Manager Robert Kugler underscores the importance of code quality to customer experience. Minor errors risk frustrating customers, while major errors leave the business open to vulnerabilities that could result in data breaches and cyber attacks. “When you develop code, you want to think of the customer first,” Kugler says. “If you create insecure code, you’re not thinking of the customer first because you open your customers up to risk.”

Cresta: team

Cresta leverages GitHub Advanced Security in their software supply chain to ship secure code. By making security a part of the software development workflow, developers can fix issues in real-time, eliminating the need to remediate days or weeks later. Using GitHub Advanced Security allows Cresta to utilize tools such as CodeQL, Secret Scanning, and Dependabot to identify potential problems before they make it into production.

Using CodeQL, Cresta automates Code Scanning with GitHub Actions to look for potential vulnerabilities during a pull request. When a vulnerability is identified, GitHub generates a recommended fix that can be implemented via a pull request. Because these tools run automatically, they don’t add any friction to Cresta’s development process and there’s no fear that security scans will be overlooked.

Beyond making their end product safer for customers, GitHub Advanced Security has improved the relationship between developers and the security team. “I can’t remember a single other security tool where I’ve heard a developer say: ‘I like it, it helped me avoid this mistake,’” Kugler says. “Usually, security tools feel negative. They tell you what you’re not allowed to do, but don’t provide a solution. Blocking a feature creates a lot of annoyance for everybody. GitHub Advanced Security actually creates pull requests so that developers can fix issues fast, while the code is still fresh in their minds, and lets them move on to the next thing. It helps our developers learn and improve.”

Cresta: Desks

Instead of being a drag on productivity, Kugler says GitHub’s developer-centric approach turns security into a net-win for productivity.

“Security of the Cresta platform is a core part of our strategy and competitive advantage. Tools like GitHub Advanced Security help keep our team lean. It makes us much more efficient.”

To move from DevOps to DevSecOps, Cresta recognized the importance of standardizing on application security testing tools designed for GitHub’s platform. GitHub Advanced Security provides a native security function within all GitHub repositories that allows security to be easily integrated within an existing codebase as well as third-party tools. This means that instead of modifying many different tools to fit within the CI/CD pipeline, developers can use one multi-functional platform that integrates CI, automation, deployment, and security all in one place.

Reducing the number of tools required also reduces the time it takes new hires to become productive and lets developers focus on writing code rather than managing tools. “Standardization and simplicity are huge for onboarding engineers at a fast-growing organization,” Kugler says. “Using twenty different tools becomes exhausting and unmanageable.” Plus there’s less training involved because so many developers already know how to use GitHub.

Cresta: Desks

Setting up GitHub Advanced Security was a very straightforward process. “We were up and running within 24 hours,” he says. GitHub Advanced Security’s CodeQL queries helped Cresta start identifying bugs and other vulnerabilities right out of the gate. By customizing the queries to perform variant analysis, the team can identify a bug once and remediate all its occurrences across the codebase, providing low-friction but high-impact results. This allows GitHub Advanced Security to be more useful to their specific applications in Cresta’s repositories and further it eliminates reducing false positives in the code scanning process.

Cresta makes security scalable by automating code scanning using GitHub Actions. “GitHub Actions is a powerful tool that provides a lot of flexibility,” Kugler adds. “A DevOps team can do a lot more with GitHub Actions than with the average CI tool.” Cresta uses Actions to scan code during non-production hours and takes advantage of cron jobs to do automated security scans on their repositories. Further, Cresta’s CI pipeline is also scanned during each pull request. This has had a significant impact on security. “About eighty percent of developers are fixing code on the pull request,” he says. “You can’t get much more impactful than that.”

GitHub Advanced Security has had an impact on the culture of security at Cresta. Instead of being the sole responsibility of the security team, developers are feeling the pride of ownership as they take an active role in security. “GitHub Advanced Security empowers developers by giving them educational content about the vulnerabilities they see,” Kugler says. The continuous alerts make them better at writing secure code. It makes our developers better every single day, with every single pull request.”