BitMEX partners with Zühlke to further enhance its security operations and bootstrap its DevSecOps practice

Safeguarding client assets at BitMEX is central to their operations. Renowned for not compromising on its approach to security for convenience, BitMEX has never lost a single cryptocurrency since its emergence.

In response to the ever-evolving security landscape and the increasing pace of software development and cloud infrastructure refactoring, it became apparent that the company's traditional security testing methods needed to be analysed and improved. 

As such, BitMEX partnered with Zühlke to bootstrap a DevSecOps function in order to:

1. Implement an integrated security testing process
2. Train developers on secure coding practices
3. Achieve a secure, workable CI/CD pipeline leveraging reliable asset and exposure information, with contextualised cyber threat intelligence sources 

With a global market capitalisation of USD 807 billion in 2023, cryptocurrency has become a potential target for cyber threats. 

BitMEX is one of the world's largest cryptocurrency exchange and derivative trading platforms, and is committed to staying ahead of bad actors and strategically advancing its application security programme. 

To ensure robust security measures and efficient velocity of their development and infrastructure teams, BitMEX onboarded a dedicated in-house DevSecOps practice. Mobilising a global team of DevOps and Security engineers, Zühlke partnered with BitMEX to quickly add new guardrails, enable new security processes and embed additional tools in the delivery pipeline. 

Attackers often think in terms of graphs to visualise the interconnections within a system they are trying to breach into. Unauthorised access to sensitive data or systems is contingent upon exploiting a combination of vulnerabilities or faulty controls. Specifically, in a CI/CD pipeline, the dependency between interconnected stages and components can be exploited to introduce faulty code into production.

This is why Zühlke and BitMEX’s initial focus was to reassess and map the potential lateral movement and artefact pollution risks within the CI/CD pipeline

Additionally, residual vulnerabilities in third-party software or an unpatched infrastructure could be as damaging as falling for a social engineering attack targeting system administrators for their credentials. To mitigate this residual risk, a set of detective, proactive and compensating controls is necessary.

To further enhance BitMEX's security, the partnership revisits static analysis, dynamic scanning, secret scanning, and software composition analysis. This has also ingrained a “shift-left” approach to security testing activities, ensuring that security considerations were introduced in the early stage of the software development life cycle.  

By fostering a shared responsibility among developers, operations, and security teams, it established the premises of an agile framework ingrained into every aspect of the development process, from design to implementation, with nimble failsafe mechanisms in place.  

By deploying a cyber asset surface management programme, BitMEX can now prioritise threats and monitor for new types of suspicious activity consistently. 

Similar to how you would not assume that your home is safe from intruders every time you return, it is crucial not to assume that your network is impervious to attackers and to maintain a proactive mindset. Cyber threat intelligence sources provide insights into the targets and tactics of the threat actors. Combining the information about vulnerabilities within an organisation and its potential impact, this quantifiable data helps BitMEX in prioritising decision-making processes.  

Through the transition from implicit trust to a persistent assessment of explicit trust, BitMEX advances its security controls by leveraging context-based signals obtained from unified endpoint management and IdP systems.  

To navigate and address the challenges arising from increased complexity in the authentication policies of the IdP, the partnership adopts configuration-as-code or commonly known as GitOps. This approach standardises configuration, facilitates version control, and enables peer-reviewed changes with comprehensive historical tracking and relevant CI checks.  

This cultural shift empowered BitMEX to move away from a “click-ops” model, where governing change controls becomes more manageable as complexity grows. 

In just over 12 months, BitMEX transformed its development process from ad-hoc security testing to a systematic DevSecOps model.  

The collaboration with Zühlke has been a success, achieving the dual goal of maintaining a high level of security while supporting rapid software development.