1.500+ Repositories, zero security overload: how November Five tackles security

Meet November Five: A Digital Agency Built on Innovation

Hi guys! Tell me a bit about yourself, and about November Five?

Hey team Aikido! We’re Stijn, Expert Leader Architecture, and Tim, Director of Product & Technology, at November Five. 

November Five is a digital product company that partners with businesses to create impactful digital customer experiences. We specialise in strategy, design, and technology and aim to deliver solutions that meet business objectives and user needs. November Five is where digital meets emotion. Here, we bring to life memorable digital that resonates, inspires and endures. Through our bespoke MX™ framework, we tap into innate desires and stir genuine emotion to let you stand out in a sea of sameness — aimed to inspire loyalty beyond satisfaction.

Companywise, 95% of the organization consists of product and engineering professionals. We work in customer-focused teams, which means that for every new customer/project we cherry pick a bespoke group of colleagues (with expertise in product, design, and engineering) to help cater to the client’s needs. Our Architecture team is involved with big iterations or partnerships, ensuring everything we do remains scalable – security being one of them. 

‍

How is November Five positioned within the realm of Digital Agencies, and compared to the competition?

November Five is known for its focus on innovation and delivering high-quality digital solutions. We differentiate ourselves through our strategic approach to digital transformation and commitment to creating value for our clients. We emphasise combining creativity and technology to stand out in the digital agency landscape.

‍

Security in Digital Agencies: an imperative
‍

"Aikido’s product is 100% designed for an agency context: it’s lightweight to implement, encompassing in functionalities, allows for proper triaging between teams, and offers alerts only when they’re necessary."

What purpose should security serve in a Digital Agency context?

Security is crucial in a digital agency context for protecting sensitive client data, maintaining trust, and ensuring compliance with regulations. It helps prevent data breaches and cyber-attacks, which can have severe financial and reputational consequences.

To go a little more in detail: we build CX products that are very close to the core of our customer's business. Typically we work on increasing intrinsic customer loyalty and retention on their main digital customer-facing channels.  Most of these projects we keep iterating non-stop on. On some of the projects we work seasonally. As you can imagine, it’s important we keep a good overview of what’s happening across the board. That’s why Aikido’s components like SCA and SAST are important for us: to keep an overview of all projects, and to only get alerted when we need to focus on fixing vulnerabilities for customers.

Within Digital agencies, I can imagine cost and margins are scrutinized often by customers. Then again, you also can't compromise on security at the risk of exposing customer data to vulnerabilities. How does Aikido help you deal with this?

Aikido offers a security solution that allows digital agencies to maintain high-security standards without excessively impacting their cost structure. It provides tools and processes that help identify and mitigate risks efficiently, thus protecting customer data and maintaining trust while managing costs effectively. 

The way security impacts digital agencies is twofold:

• First, we see security requirements and compliance questionnaires are added more and more in the RFP or contracting phase. Aikido helps us check a lot of boxes here.
• Second, by ensuring robust security measures, we can confidently offer additional services. For example, after delivery of a product we offer support contracts. These support contracts include security updates, which Aikido helps us manage.

Aikido’s product is 100% designed for an agency context: it’s lightweight to implement, encompassing in functionalities, allows for proper triaging between teams, and offers alerts only when they’re necessary. 

The Security Challenge: Managing 1,500+ Repositories
‍

"We don’t have dedicated security engineers—we need security to be self-serve. Aikido enables that with a decentralized workflow."

What’s the one thing that made you go “We need to get serious about security?”

The increasing frequency and sophistication of cyber threats highlighted the need for a more serious approach to security. Additionally, regulatory pressures and client demands for data protection are significant factors.

Before Aikido, what kept you up at night in terms of security?

Vulnerabilities are found continuously. In an agency context, many of our partnerships require continuous work, but not all of them. Many products have a seasonality, where engineering is wound down for considerable time. Aikido removes the worry that surfacing issues impact existing products we are responsible for without our knowledge. Aikido increases our trust and, thereby, our customers' trust in us.

What challenges or pains were you experiencing before purchasing Aikido?

Getting an objective and complete health view of all the codebases and products was hard. Doing this manually always gives a snapshot that ages in a matter of days or weeks, which was not acceptable to us. Getting a central overview of the security status across all active and inactive projects, with the classification and urgency aligned with our standards, is essential to our SDLC and long-term commitment to our customers.

Were you using a security tool before Aikido?

We had several tools in our CI/CD pipeline and a frequent review cycle by our engineering & support team, which only covered a small piece of the security puzzle. We lacked proper triaging, being able to create cross-repository depth, and a way to only get alerted on what matters.

We evaluated competing products, and almost all of them are targeting product teams, with a small number of repositories and many teams working on them. Most of them also offered only enterprise-pricing, they simply would bankrupt us (Snyk, for example). Aikido gives us a great tool, safety, but most importantly, a process that helps us in our business context. Feature-wise but also pricing model-wise.

Why Aikido? The perfect fit for agencies
‍

We evaluated competing products, and almost all of them are targeting product teams, with a small number of repositories and many teams working on them. Most of them also offered only enterprise-pricing, they simply would bankrupt us (Snyk, for example).

‍

As we're in an agency context, Aikido was a natural fit as it positions itself as a leader in our industry. The need to govern 1.500+ repositories, with a mix of active, in support, archived statuses and a relatively small number of engineering teams, requires a product designed and architected for us. We don’t have dedicated security engineers because we want to stay focused and enable everyone to self-serve for the engineers. That’s what we appreciate about Aikido: once it’s set up you can allow for a decentralized way of working.

‍

Many of the Git repositories in agencies can also be scattered: some sit with the customer, some on the agency-side. Aikido gives us the flexibility to set up all environments properly, and add them seamlessly in one central overview.

‍

Further, many of the Git repositories (whether GitLab, Bitbucket, or other) in agencies can also be scattered. Sometimes they sit with the customer, sometimes on the agency-side.  With Aikido, we get the flexibility to set up all environments properly, and add them seamlessly in one central overview.

What’s your experience working with the Aikido team?

Working with the Aikido team has always been fantastic from the start. Both being Belgian companies gave us a quick start. Still, the click of the Aikido team that helped us understand our context, setup, and challenges made it possible to roll out quickly and get immediate value from the platform.

‍

What’s your favorite feature?

The most favourite feature, at the risk of sounding meta, is the continuous stream of additions to the platform. Aikido has a knack for adding valuable features at a steady pace. They listen to their customers and take action on that. Practically, we like the clean integration in the pull requests, and we’re looking forward to our engineers starting to use the recently added AI Autofix feature.

‍