Jobvite Makes Recruiting More Engaging and Secure.

Jobvite’s Evolve Talent Acquisition Suite mitigates application security risks by automatically identifying and blocking potential threats with Traceable AI

Customer: Jobvite, an Employ Inc. brand, is leading the next wave of talent acquisition innovation with a marketing-centric approach to recruiting. Jobvite’s Evolve Talent Acquisition Suite offers more breadth and depth in functionality than any other talent acquisition technology available in the market, addressing the entire hiring lifecycle. To learn more, visit jobvite.com or follow the company on social media @Jobvite.

Challenge: Jobvite has built the unified Evolve Talent Acquisition Suite, containing more than 50,000 APIs. The company has strong visibility into its cloud-hosted environment, but was challenged in determining whether application misbehavior was due to a code defect or caused by a malicious outside attack. Jobvite’s engineering teams also needed a way to uncover security flaws earlier in the development cycle to reduce costly downstream rework and risk vulnerabilities getting in the production environment.

Solution: After considering WAFs, but finding them too costly and labor-intensive to be effective in its complex environment, Jobvite deployed Traceable AI in its application development process. Traceable AI now provides Jobvite’s engineers with insights into potential security risks deep within the application stack to prevent and mitigate risks, while offering fine-grained permissions control to block selected threat vectors.

Successful businesses, regardless of industry, all have something in common—great talent. Today, recruitment professionals need every advantage they can get to attract the right people into their organizations. The competition is fierce. And sourcing, screening, nurturing, interviewing, and onboarding the best people for each job is a complex and demanding task. That’s why more talent acquisition teams turn to Jobvite, part of Employ Inc., and its comprehensive Evolve Talent Acquisition Suite.

Sudipta Ghose, Vice President of Engineering, Jobvite, explains, “We’ve developed a suite of technology solutions using automation and analytics to make the recruiting, hiring, and onboarding processes much easier and more engaging for both candidates and hiring teams.”

The Jobvite Suite spans the entire recruitment lifecycle, from creating and marketing new positions through onboarding new team members. The Suite includes multiple solutions, comprising everything from software developed initially in the early 2000s to container-based microservices and modern, cloud-native serverless environments. Jobvite’s Evolve Talent Acquisition Suite contains more than 50,000 APIs, spanning four core workloads hosted across Amazon Web Services, Microsoft Azure, and Google Cloud.

While application performance monitoring provided visibility and could surface errors, it did not support Jobvite’s engineering teams in distinguishing whether application misbehavior was due to a code defect or caused by a malicious outside attack. To do that, Jobvite needed both observability and intelligent security at the API level.

The Solution

Jobvite initially attempted to secure the perimeter using WAFs. However, with 50,000 APIs, the WAF approach would have been extremely labor-intensive and costly to write all the necessary rules and exceptions.

“We had a security challenge that simply could not be solved on the perimeter with a WAF,” Ghose says. “We needed a different way to detect and defend against all cyber attacks, including those that could come from within.”

Traceable AI answered that need. Ghose explains, “Traceable AI is differentiated from the other vendors we looked at because it provides AI and machine learning that determines the probability of a certain kind of behavior being an attack. It enables us to quantify and mitigate our risk by helping us focus on likely attack vectors and prevent attacks from being successful. That’s invaluable for a Suite like ours that deals in a lot of personally identifiable information (PII data).”

Traceable AI also provides Jobvite with fine-grained control over what actions are permissible inside the software. For example, if a JavaScript is serving files from a location that is not appropriate, Jobvite can just disallow that activity through Traceable AI. “If there’s a flaw in the permissions or how the application server is deployed, Traceable AI knows what’s allowed or not. The ability to have that automatically prevent inappropriate action is unique in the industry.”

Saving Engineering Time, Strengthening Application Security

Since deploying Traceable AI, the Jobvite team now has intelligence from deep within the Suite and thousands of APIs to prioritize which vulnerabilities require attention. This helps the team work more efficiently to stay ahead of security threats and assure protection for private customer data.

“Traceable AI provides us with an understanding of which problems we need to focus on, which is extremely valuable,” Ghose notes. “We don’t need to waste engineering time trying to figure out problems that don’t pose an actual threat.”

He suggests that time savings can become substantial. “I would estimate each avoided false positive will save us at least 10 minutes. With hundreds of events per week, that could add up to more than 1,000 hours of engineering time saved over the course of a year.”

Ghose points out that Traceable AI provides detailed information beyond what’s reported by application performance monitoring, allowing his team to see the actual requests and responses at the front end. “For every single incident, Traceable AI enables us to build up a body of information where we can say, these things are normal and can be ignored, and these other things are abnormal and should be blocked.”

He continues, “Traceable AI helps us focus on where we spend our time investigating, but it also allows us to get a feel for vulnerabilities on the front end of this infrastructure that may not be exposed by an API request. Maybe there’s a flaw in the code that could be manipulated by an outside party to inject something malicious into our environment. Traceable AI allows us to get focused very fast and tell us that this is an issue that we need to investigate right now.”

Catching Security Flaws Early in the Development Cycle

AtJobvite has built a robust DevOps program and a continuous integration/continuous deployment (CI/CD) methodology, where individual engineering teams are responsible for their application from initial idea to when it’s no longer in production. Even though they perform static analysis, flaws can still slip through. But with Traceable AI running in the CI/CD environment, engineers know within minutes to hours if there is a security flaw exposed—before the application gets to QA or goes any farther downstream.

“The AI capability in Traceable AI is really key,” Ghose says. “By bringing a pre-configured, well-trained model to the Suite, Traceable AI saves our engineers from a lot of manual time and effort trying to learn all the possible threat vectors on their own. It helps us tighten up our CI/CD processes to reduce rework, time-to-market and, ultimately, costs.”

Ghose concludes, “Traceable AI provides us with a capability that’s incredibly affordable. The information it brings to us with very little effort not only strengthens our application security, but it brings us a return on investment that’s several orders of magnitude greater than any of the other options we considered.”

For more information on Traceable AI and our solutions, please visit traceable.ai