BitMEX partners with Zühlke to further enhance its security operations and bootstrap its DevSecOps practice

BitMEX partnered with Zühlke to build upon their existing industry leading security operations by further advancing its application security program. This was achieved by refining its existing set of security policies prioritising critical guardrails, in order to accelerate focus on new application functionalities. 

  • BitMEX was looking to embed DevSecOps processes across their development process to ensure robust security measures and the efficient velocity of their development and infrastructure teams.

  • Zühlke worked closely with BitMEX to implement an integrated security testing process, train developers on secure coding practices and achieve a secure, workable CI/CD pipeline leveraging reliable asset and exposure information.

  • Zühlke played an active role as a trusted advisor with deep expertise in DevSecOps and supported BitMEX in transforming its development process from ad-hoc security testing to a systematic DevSecOps model in just over 12 months.

Safeguarding client assets at BitMEX is central to their operations. Renowned for not compromising on its approach to security for convenience, BitMEX has never lost a single cryptocurrency since its emergence.

In response to the ever-evolving security landscape and the increasing pace of software development and cloud infrastructure refactoring, it became apparent that the company's traditional security testing methods needed to be analysed and improved. 

As such, BitMEX partnered with Zühlke to bootstrap a DevSecOps function in order to:

  1. Implement an integrated security testing process
  2. Train developers on secure coding practices
  3. Achieve a secure, workable CI/CD pipeline leveraging reliable asset and exposure information, with contextualised cyber threat intelligence sources 

With a global market capitalisation of USD 807 billion in 2023, cryptocurrency has become a potential target for cyber threats. 

BitMEX is one of the world's largest cryptocurrency exchange and derivative trading platforms, and is committed to staying ahead of bad actors and strategically advancing its application security programme. 

To ensure robust security measures and efficient velocity of their development and infrastructure teams, BitMEX onboarded a dedicated in-house DevSecOps practice. Mobilising a global team of DevOps and Security engineers, Zühlke partnered with BitMEX to quickly add new guardrails, enable new security processes and embed additional tools in the delivery pipeline. 

Outcome #1: Embedding comprehensive application security testing and software composition analysis tools in the development pipeline

Cropped shot of computer programmers working on new code

Attackers often think in terms of graphs to visualise the interconnections within a system they are trying to breach into. Unauthorised access to sensitive data or systems is contingent upon exploiting a combination of vulnerabilities or faulty controls. Specifically, in a CI/CD pipeline, the dependency between interconnected stages and components can be exploited to introduce faulty code into production.

This is why Zühlke and BitMEX’s initial focus was to reassess and map the potential lateral movement and artefact pollution risks within the CI/CD pipeline

Florian-Alexandre Bielak BitMEX
' With the right people, a refined set of processes and a selection of consolidated security tools as the linchpin, BitMEX was able to construct a stronghold that amplifies the effectiveness of our overall security ecosystem. '
Florian-Alexandre Bielak
Chief Information Security Officer, BitMEX

Additionally, residual vulnerabilities in third-party software or an unpatched infrastructure could be as damaging as falling for a social engineering attack targeting system administrators for their credentials. To mitigate this residual risk, a set of detective, proactive and compensating controls is necessary.

To further enhance BitMEX's security, the partnership revisits static analysis, dynamic scanning, secret scanning, and software composition analysis. This has also ingrained a “shift-left” approach to security testing activities, ensuring that security considerations were introduced in the early stage of the software development life cycle.  

By fostering a shared responsibility among developers, operations, and security teams, it established the premises of an agile framework ingrained into every aspect of the development process, from design to implementation, with nimble failsafe mechanisms in place.  

Outcome #2: Asset security controls and configuration as code

developers tablet

By deploying a cyber asset surface management programme, BitMEX can now prioritise threats and monitor for new types of suspicious activity consistently. 

Similar to how you would not assume that your home is safe from intruders every time you return, it is crucial not to assume that your network is impervious to attackers and to maintain a proactive mindset. Cyber threat intelligence sources provide insights into the targets and tactics of the threat actors. Combining the information about vulnerabilities within an organisation and its potential impact, this quantifiable data helps BitMEX in prioritising decision-making processes.  

Through the transition from implicit trust to a persistent assessment of explicit trust, BitMEX advances its security controls by leveraging context-based signals obtained from unified endpoint management and IdP systems.  

To navigate and address the challenges arising from increased complexity in the authentication policies of the IdP, the partnership adopts configuration-as-code or commonly known as GitOps. This approach standardises configuration, facilitates version control, and enables peer-reviewed changes with comprehensive historical tracking and relevant CI checks.  

This cultural shift empowered BitMEX to move away from a “click-ops” model, where governing change controls becomes more manageable as complexity grows. 

kaushal silva profile picture
' The culture at BitMEX is one very similar to Zühlke. We are a team that is empowered to speak up with courage, challenge and be challenged, and always put the success of the entire organisation first. '
Kaushal Silva Ranpatabendige
Lead Engagement Manager, Zühlke

In just over 12 months, BitMEX transformed its development process from ad-hoc security testing to a systematic DevSecOps model.  

The collaboration with Zühlke has been a success, achieving the dual goal of maintaining a high level of security while supporting rapid software development.  

Contact person for Singapore

Ruchi Singhal

Business Development Director APAC

Ruchi is an experienced technologist with over 20 years of IT industry experience working with global financial institutions, enterprises, and start-ups. In her role, Ruchi has led interdisciplinary teams building & supporting successful digital solutions, products, and platforms for the financial services sector. She is passionate about solving complex business problems using innovative digital solutions to transform and grow businesses.

Thank you for your message.