Xero customer - security for developers

Video: How Xero uses CloudPassage to get security into the hands of developers

shaane syed / 09.16.16

Guest blog by David Spark, Spark Media Solutions

“We have to get developers thinking about security at the start of the entire development lifecycle. And that even comes down to the fact that it’s mandatory to put tools like our CloudPassage Halo system onto everything they deploy,” said Aaron McKeown, lead security architect and cloud security product owner for Xero in our conversation at the 2016 Black Hat conference in Las Vegas.

For McKeown, security isn’t about tools and technology, it’s about communication and visibility.

McKeown loves getting results from CloudPassage Halo such as Software Vulnerability Assessment (SVA), configuration state management, and file integrity solutions. But they’re only valuable to him if he can get them into the hands of his developers.

“It’s about making everyone aware and everyone accountable about security. The public cloud is an ever changing environment. We need to make sure everyone is a security practitioner,” said McKeown.

McKeown believes that communications is key in order to create a security as a service development model. He suggests building one based on guardrails, not security gates the development team feels they have to bust through.

Ultimately, the reason Xero chose CloudPassage was because of its core functions, though with the many new features being released on a regular basis, they saw great potential.

Xero’s three security principles

To move forward, while also being in a secure state, Xero has three basic security principles that they recommend for others. They are:

  • Repeatable automation and management of security systems: This involves a continuous integration continuous development (CICD) environment for everything. When this is in place they have a repeatable and manageable infrastructure.
  • Operate at security at speed: Xero released 800 features last year. For them to operate that fast and maintain security, they have to be up to speed themselves, along with their partners and vendors.
  • Security on demand: They need to move away from paying for security at peak traffic, and pay instead for security when developers need it.


How Xero Uses CloudPassage to Get Security into the Hands of Developers – Black Hat 2016 from CloudPassage on Vimeo.