Raymond James strengthens application security by identifying precise risk impact of vulnerabilities with Dynatrace

Raymond James is a Fortune 500 company that provides investment banking, wealth, and asset management services to financial advisors. To support its continued growth, Raymond James underwent a transformation to improve the resiliency of its digital services. As part of that journey, Raymond James embraced AIOps to help its teams ensure the company’s most critical applications are functioning as they should at all times. This capability was underpinned by observability-driven insights that enable a more proactive approach to issue resolution.

To accelerate digital innovation, Raymond James often uses code from open-source software (OSS) libraries, which helps its developers deliver new capabilities faster. However, Raymond James found that its application security tools were over-reporting on OSS vulnerabilities, which made it difficult to manage business risk. Raymond James saw an opportunity to extend its observability-driven insights to evaluate the risk impact of OSS vulnerabilities, which would help developers prioritize their efforts to resolve flaws and improve the security of applications.

Since Raymond James was already using Dynatrace for observability, it was easy to switch on the platform’s Application Security capabilities. Powered by Grail, Dynatrace’s Application Security module helped the team reduce the number of OSS vulnerability alerts by removing false positives and providing more precise and actionable insights into the risk impact. Grail also enables Raymond James to identify whether vulnerabilities originate from the Raymond James Development Framework, which includes best practices and pre-built capabilities, or if they were introduced by an individual developer. This distinction allows teams to quickly address framework-level vulnerabilities by upgrading to new version, significantly reducing overall risk.

“Adding Dynatrace’s vulnerability detection was really the icing on the cake,” said Jeffrey Palmiero, Technical Vice President at Raymond James. “We were already monitoring our critical applications, but now we can make them bulletproof by addressing vulnerabilities in priority order. With Dynatrace, we get actionable insights in ten minutes that previously took hours to uncover. Dynatrace gives us a consolidated list of vulnerabilities that have to be addressed to protect our applications.”

• Reduced alert noise: Dynatrace Application Security helped Raymond James reduce OSS vulnerability alerts from 15,000 to just 800 by eliminating false positives and providing more precise insights. Dynatrace can understand whether open-source libraries and software are actively being used by developers, helping to identify if vulnerabilities are a genuine risk or not. This enables Raymond James to stay ahead of compliance reporting requirements and demonstrate to regulators how the company is addressing vulnerabilities in its applications.

• Prioritized vulnerabilities: With the Davis Security Score (DSS) from Dynatrace, Raymond James can prioritize vulnerabilities according to their risk impact, based on contextual insights about whether the application is internet exposed or has access to critical data. Development and security teams are given a consolidated list of vulnerabilities, saving a significant amount of time in deciding which issue to solve first.

• Data-driven decisions: Raymond James uses Dynatrace Query Language (DQL) to surface faster insights into application performance, to enable better and more timely decisions. Teams can surface insights into how its applications are performing against key business performance indicators, such as the number of successful orders placed for stocks or mutual funds. Tailored security and compliance insights can then be shared with senior leaders, enabling them to make more informed decisions by providing visibility into vulnerability metrics specific to their areas of responsibility.

• Faster innovation: Raymond James holds itself to the highest standards for the performance of its digital services. For instance, it has a target of two seconds or less for page render time on external-facing web services, and mandates that response times must be a maximum of 500 milliseconds. Dynatrace helps create improved feedback cycles between management teams and product owners to hold them accountable for those numbers, which greatly improves customer experience.

“Davis is the smartest guy in the room— its ability to deliver deep contextual analysis has made Dynatrace Query Language and Grail absolute game-changers,” commented Palmeiro. “The fact that you can join data from any single entity to your trace and event, and then make the insights relevant to all audiences is incredibly powerful. I get challenged most days if DQL can do certain tasks, and the answer is almost always yes. You can do absolutely anything with Dynatrace,” said Christian Alfano-Nerey, Senior Site Reliability Engineer at Raymond James.

Raymond James is not affiliated with Dynatrace