Interview with AutoScout24’s CTO on Implementing TuxCare
— In the fall of 2023, you launched major campaigns. What challenges did your team face?
— During that period, system load reached 150–200 requests per minute. Exactly at that time, critical vulnerabilities were discovered in third-party Java libraries we were using. Under our old approach, fixing them would take 10 to 14 days. Throughout that period, we were exposing our clients to risks and losing money: services went down, the “application → deal” conversion rate dropped by 8–10%, and up to 2% of transactions failed.
— How did you handle vulnerabilities before?
— We relied on a whole stack of tools. OWASP Dependency-Check listed the problems but didn’t provide solutions. Snyk suggested updates, but compatibility checks had to be done manually. Jenkins handled builds, but every dependency change still required manual intervention. Even a single vulnerability could drag the process out for weeks.
— What changed after adopting TuxCare?
— Honestly, we expected some acceleration, but we didn’t think the effect would be this dramatic. TuxCare automated the entire cycle—from continuous dependency scanning to project rebuilds and testing. The system itself selects a compatible version, applies updates with zero downtime, and rolls them back if needed. As a result, the time to remediate critical vulnerabilities has dropped to just 3–4 hours.
— Did you compare it with other systems?
— Yes. We specifically evaluated Snyk, OWASP Dependency-Check, and WhiteSource. They all help identify vulnerabilities, but the rest of the work remains with the team. TuxCare turned out to be the only tool that fully automates the entire cycle.
— What results did you see in the first month?
— The numbers speak for themselves:
- Instead of 14 days, it now takes just 4 hours to remediate a critical vulnerability.
- The “application → deal” conversion rate grew by 12%—simply because there are no service downtimes.
- Deployment failure rates dropped by 80%, from 15% down to 3%.
- We saw around an 8% increase in revenue thanks to stable performance during peak loads.
— What would you recommend to other companies?
— Previously, we treated vulnerability remediation as a separate and very costly process. Now it’s part of CI/CD, running continuously and requiring no developer involvement. I believe this is a step forward for the entire industry: security becomes a built-in feature rather than a standalone task.
