BitMEX was looking to embed DevSecOps processes across their development process to ensure robust security measures and the efficient velocity of their development and infrastructure teams. Zühlke worked closely with BitMEX to implement an integrated security testing process, train developers on secure coding practices and achieve a secure, workable CI/CD pipeline leveraging reliable asset and exposure information. Zühlke played an active role as a trusted advisor with deep expertise in DevSecOps and supported BitMEX in transforming its development process from ad-hoc security testing to a systematic DevSecOps model in just over 12 months. Safeguarding client assets at BitMEX is central to their operations. Renowned for not compromising on its approach to security for convenience, BitMEX has never lost a single cryptocurrency since its emergence. In response to the ever-evolving security landscape and the increasing pace of software development and cloud infrastructure refactoring, it became apparent that the company's traditional security testing methods needed to be analysed and improved. As such, BitMEX partnered with Zühlke to bootstrap a DevSecOps function in order to: Implement an integrated security testing process Train developers on secure coding practices Achieve a secure, workable CI/CD pipeline leveraging reliable asset and exposure information, with contextualised cyber threat intelligence sources With a global market capitalisation of USD 807 billion in 2023, cryptocurrency has become a potential target for cyber threats. BitMEX is one of the world's largest cryptocurrency exchange and derivative trading platforms, and is committed to staying ahead of bad actors and strategically advancing its application security programme. To ensure robust security measures and efficient velocity of their development and infrastructure teams, BitMEX onboarded a dedicated in-house DevSecOps practice. Mobilising a global team of DevOps and Security engineers, Zühlke partnered with BitMEX to quickly add new guardrails, enable new security processes and embed additional tools in the delivery pipeline. Outcome #1: Embedding comprehensive application security testing and software composition analysis tools in the development pipeline Attackers often think in terms of graphs to visualise the interconnections within a system they are trying to breach into. Unauthorised access to sensitive data or systems is contingent upon exploiting a combination of vulnerabilities or faulty controls. Specifically, in a CI/CD pipeline, the dependency between interconnected stages and components can be exploited to introduce faulty code into production. This is why Zühlke and BitMEX’s initial focus was to reassess and map the potential lateral movement and artefact pollution risks within the CI/CD pipeline ' With the right people, a refined set of processes and a selection of consolidated security tools as the linchpin, BitMEX was able to construct a stronghold that amplifies the effectiveness of our overall security ecosystem. ' Florian-Alexandre Bielak Chief Information Security Officer, BitMEX Additionally, residual vulnerabilities in third-party software or an unpatched infrastructure could be as damaging as falling for a social engineering attack targeting system administrators for their credentials. To mitigate this residual risk, a set of detective, proactive and compensating controls is necessary. To further enhance BitMEX's security, the partnership revisits static analysis, dynamic scanning, secret scanning, and software composition analysis. This has also ingrained a “shift-left” approach to security testing activities, ensuring that security considerations were introduced in the early stage of the software development life cycle. By fostering a shared responsibility among developers, operations, and security teams, it established the premises of an agile framework ingrained into every aspect of the development process, from design to implementation, with nimble failsafe mechanisms in place. Outcome #2: Asset security controls and configuration as code By deploying a cyber asset surface management programme, BitMEX can now prioritise threats and monitor for new types of suspicious activity consistently. Similar to how you would not assume that your home is safe from intruders every time you return, it is crucial not to assume that your network is impervious to attackers and to maintain a proactive mindset. Cyber threat intelligence sources provide insights into the targets and tactics of the threat actors. Combining the information about vulnerabilities within an organisation and its potential impact, this quantifiable data helps BitMEX in prioritising decision-making processes. Through the transition from implicit trust to a persistent assessment of explicit trust, BitMEX advances its security controls by leveraging context-based signals obtained from unified endpoint management and IdP systems. To navigate and address the challenges arising from increased complexity in the authentication policies of the IdP, the partnership adopts configuration-as-code or commonly known as GitOps. This approach standardises configuration, facilitates version control, and enables peer-reviewed changes with comprehensive historical tracking and relevant CI checks. This cultural shift empowered BitMEX to move away from a “click-ops” model, where governing change controls becomes more manageable as complexity grows. ' The culture at BitMEX is one very similar to Zühlke. We are a team that is empowered to speak up with courage, challenge and be challenged, and always put the success of the entire organisation first. ' Kaushal Silva Ranpatabendige Lead Engagement Manager, Zühlke In just over 12 months, BitMEX transformed its development process from ad-hoc security testing to a systematic DevSecOps model. The collaboration with Zühlke has been a success, achieving the dual goal of maintaining a high level of security while supporting rapid software development. Ravi Patel Head of Financial Services Southeast Asia With over 20 years of experience, Ravi brings deep expertise in building businesses, products, and teams within the financial services industry. With a proven track record of working with multiple industry verticals, Ravi is passionate about building a financial services industry that is impactful, sustainable and inclusive for all. As Head of Financial Services Southeast Asia, Ravi oversees the market strategy and portfolio development for financial services in the region. Contact ravi.patel@zuhlke.com Your message to us You must have JavaScript enabled to use this form. First Name Surname Email Phone Message Send message Leave this field blank Your message to us Thank you for your message. Our work Banking LGT: Transforming an E-Banking product for the agile world Learn more Banking Basler Kantonalbank: Working together with Zühlke on its journey to the cloud Learn more Banking Mizuho Bank accelerates innovation in global transaction banking Learn more Go to case studies Deliver transformative impact with Zühlke. Speak to our team today. Get in touch
' With the right people, a refined set of processes and a selection of consolidated security tools as the linchpin, BitMEX was able to construct a stronghold that amplifies the effectiveness of our overall security ecosystem. ' Florian-Alexandre Bielak Chief Information Security Officer, BitMEX
' The culture at BitMEX is one very similar to Zühlke. We are a team that is empowered to speak up with courage, challenge and be challenged, and always put the success of the entire organisation first. ' Kaushal Silva Ranpatabendige Lead Engagement Manager, Zühlke