The Challenge
A global financial services company—operating in a highly regulated, security-sensitive environment—set out to reduce security risk and improve developer velocity without sacrificing control or compliance. With a sprawling application footprint made up of hundreds of Java-based services, teams were managing inconsistent versions of critical frameworks like Spring Boot, and dealing with complex dependency trees across GitHub-hosted monorepos.
While they already had mature DevSecOps practices in place—including static analysis and vulnerability scanning—the real bottleneck was remediation. Security alerts were surfaced, but the work of upgrading packages, removing deprecated methods, and verifying safe implementation still fell on developers. Each team approached modernization a little differently, leading to duplicated effort, fragmented tooling, and inconsistent outcomes.
The company’s goal wasn’t to overhaul broken systems—it was to scale excellence. They needed an approach that could codify best practices as policy, enforce them automatically, and reduce friction across highly distributed teams—all while integrating into their existing GitHub workflows and CI/CD pipelines.
Financial Services
Auto Remediation of OWASP & NIST Vulnerabilities
Java, Spring Boot, GitHub, CI/CD with Compliance Automation
100+
Critical security issues fixed in a single CI/CD run
Java 21-ready
Architecture across core services
1 Platform
Unified remediation across PCI, SOX, and internal security domains
The Solution
"We already had great developers and strong processes. Moderne just gave us a way to scale that—automating the things we used to do by hand and helping us move faster with more confidence."
To scale secure code remediation across hundreds of applications, the platform engineering team brought in Moderne. While they had experience with the open-source OpenRewrite framework, they needed something purpose-built for large organizations—something that could run changes safely across dozens of teams, enforce consistency, and integrate with their existing tooling.
Moderne provided that missing layer—a way to manage transformations across repositories, plug into CI/CD workflows, and apply custom rules aligned to internal policies and security requirements.
By connecting Moderne to GitHub and integrating it into CI/CD, the team shifted from a reactive, manual approach to something far more proactive and repeatable. Engineers could track changes, test them in staging, and deploy across services with minimal overhead.
How is Moderne used?
Upgrading vulnerable libraries
Automatically updating dependencies and cleaning up known risky patterns.
Modernizing frameworks
Streamlining the migration to Spring Boot 3.0 and Java 17 without needing to write custom scripts for every team.
Building internal recipes
Crafting reusable recipes to enforce secure defaults and meet compliance requirements across regulated environments.
Integrating with CI/CD workflows
Seamlessly connecting automated code changes into GitHub pipelines, enabling teams to validate and deploy updates with minimal manual effort.
Results
By integrating Moderne into their software delivery lifecycle, the platform engineering team significantly improved both their security posture and developer efficiency. What once required weeks of coordination—across security, development, and QA—could now be executed in hours through safe, repeatable code transformations.
Security updates that had previously been deprioritized due to manual overhead were now part of an automated process. Teams could respond to emerging CVEs quickly, validate proposed changes in staging, and push updates across production systems without writing custom scripts or slowing down delivery cycles.
This automation not only reduced technical debt, but also made it easier to adopt modern frameworks and meet internal security guidelines. The ability to validate changes across hundreds of repos in parallel helped the company maintain consistency and compliance—even across decentralized teams and legacy systems.
Looking ahead, the team plans to deepen integration into their DevSecOps toolchain, using Moderne as a strategic enabler for continuous modernization and risk reduction.
Moderne let us take a process that used to involve weeks of coordination and manual scripting, and replace it with something we could kick off in a few clicks.
what's next for moderne?
Standardizing secure defaults
Enforcing secure-by-default coding practices across teams with reusable, automated refactoring recipes.
Accelerating Spring Boot migrations
Simplifying the path to Spring Boot 3.0 with scalable, script-free code transformations.
Supporting compliance readiness
Delivering traceable, auditable changes to meet internal policies and regulatory requirements.
Dive Deeper
AI-driven refactoring for fintech codebases
Learn how OpenRewrite and AI agents automate code changes across thousands of fintech repos—improving developer workflows and accelerating modernization at scale.
Fix vulnerabilities across your codebase
Uncover and auto-remediate security flaws across all repos—from OWASP‑Top‑10 threats to vulnerable dependencies—enabling rapid response and proactive security posture.
Backpatching with Moderne
Address security risks in legacy applications at scale. Moderne’s backpatching approach simplifies safe, compliant remediation.
(PDF download)
