Table of Content:
Background
Blackstone had both SAST & DAST solutions deployed and operational in place, however vulnerabilities were found too late and took 2-3 months to resolve.
Blackstone’s AppSec team looked for a dynamic application security testing (DAST) solution that could deliver high accuracy, enterprise grade scans without slowing down development. After evaluating multiple vendors, Bright Security stood out for its ability run dynamic scans early in the SDLC and significantly reduce false positives while maintaining comprehensive detection capabilities and workflow features. Bright’s DAST translated into meaningful time savings for both Blackstone engineering and security teams.
Why Bright?
Bright’s DAST solution ran significantly earlier in the SDLC than other solutions and produced fewer false positives than other solutions Blackstone tested or had previously deployed.
Importantly, the reduction in FPs did not come at the expense of missing real vulnerabilities. Moreover, the breadth of coverage Bright offers is extensive and covers the OWASP top 1-, OWASP API top 10, OWASP LLM top 10 and Business Logic vulnerabilities. The result was a more efficient triage process and faster resolution times, allowing our teams to focus on actual risk rather than noise.
=> Reduced time to resolve vulns from 2-3 months to 12 hours
=> 98% time saving and significant risk reduction with vulns not making it to prod
Developer Enablement
The partnership expanded when Bright introduced a developer focused module allowing our engineers to run scans directly within their development workflows and address vulnerabilities early in the software development lifecycle. For a significant percentage of issues, remediation time dropped from over two months to under 12 hours. We continue to run traditional pre-production scans later in the lifecycle to catch complex and business logic vulnerabilities, but the shift-left approach has had a major impact on our overall security posture.
Support and Collaboration
Bright’s exceptional customer success has been excellent to work with. The Blackstone and Bright teams worked closely with the Bright team also working hand-in-hand with other Blackstone portfolio companies. Bright’s responsiveness and technical depth have made them a true partner and solution provider rather than just another security vendor. (GB: This reads more like a quote than a success story. I changed it somewhat to make it less of a quote.)
Support and Collaboration
Bright recently launched its STAR platform which brings AI-powered autonomous security testing and remediation into the development pipeline. While Blackstone has yet to implement STAR due to misalignment between the AI code generation tooling that Bright has and Blackstone’s non-standard tools, the potential is clear. The platform promises to automatically generate dynamic security unit tests, detect vulnerabilities, guide fixes, and validate them, all directly within the CI/CD workflow.
For AppSec leaders, this could mean replacing what can sometimes even be hundreds of hours of manual triage with a simple pull request ready for developer approval.
Conclusion
Bright Security has helped Blackstone streamline application security without compromising on quality. Their focus on developer experience, accuracy, and innovation makes them a strategic partner in our effort to build secure software at scale.
