.png)
Executive Summary
Omnissa is a leading digital work platform company, empowering dynamic workforces worldwide to do their best work from anywhere. With AI-driven solutions spanning Unified Endpoint Management, Virtual Apps and Desktops, Digital Employee Experience, and Security & Compliance, Omnissa is trusted by over 26,000 customers and backed by a 20-year track record.
As a software company whose products serve millions of end users across critical industries, Omnissa holds itself to rigorous supply chain security standards. When the team identified gaps in native GitHub controls - spanning CI/CD runners, third-party actions, and package registries - that their existing security suite could not fully address, they turned to StepSecurity a, top-tier comprehensive supply chain security solution purpose-built for the GitHub ecosystem.
The Challenge
Omnissa’s engineering and security teams discovered that native GitHub controls for runners and actions left needs that could not be fully mitigated with their existing security tooling. They also needed more robust protection against compromised packages in third-party registries such as NPM. As a company that ships software to millions of users across critical sectors, these issues fell short of Omnissa’s standards.
The team understood the risks inherent in consuming third-party GitHub Actions but needed to balance security with developer productivity. They had instituted a policy requiring teams to pin untrusted third-party actions to a specific commit hash after performing a code review. In practice, however, enforcement proved difficult.
Before adopting StepSecurity, Omnissa relied on a combination of solutions:
- General-purpose host security for self-hosted runners
- Manual hash pinning and code reviews of consumed actions
- Native cooldown functionality provided by GitHub for package registries
While this combination addressed the baseline requirements of ExecutiveOrder 14028 and NIST SP 800-161r1, it did not meet Omnissa’s internal standards. As a lean organization, they also wanted to avoid overreliance on time-intensive internal reviews of third-party software.
“StepSecurity feels like the missing piece of GitHub itself. The depth of intelligence in StepSecurity’s governance platform gives a security engineer peace of mind in what is otherwise an unruly, hazardous environment.”
- Adora Lynch, Senior Staff Engineer, Continuity Team, Omnissa
Why StepSecurity
Omnissa evaluated StepSecurity as the only comprehensive supply chain security solution on the market for the GitHub ecosystem. Where other approaches offered partial coverage, StepSecurity delivered an integrated platform that addressed their full range of requirements—from CI/CD runner protection and action governance to package registry security:
The initiative was led by a cross-functional group from across Omnissa’s engineering organization: Adora Lynch, Senior Staff Engineer, Continuity Team; Scott Carter, Staff 2 Engineer, WS1 Intelligence, Adam Gross, Senior Staff Engineer, Horizon, and Lynn Tran, Manager, Product Security, each bringing a distinct stake in the company’s supply chain security strategy.
“I am extremely impressed with the depth of StepSecurity’s solution. Every time I brought up a security concern about the GitHub actions ecosystem, they not only acknowledged it but also offered a mitigation.”
- Adam Gross, Senior Staff Engineer, Horizon, Omnissa
Results
Since deploying StepSecurity, Omnissa has strengthened its supply chain security posture across the organization without disrupting developer workflows. Key outcomes include:
- Evaluated the risk profile of all third-party actions and replaced many with StepSecurity Maintained Actions
- Enforced consistent hash pinning of actions across the enterprise, closing the policy-compliance gap
- Mitigated risk of runner compromise through network-level controls
- Prevented runners from consuming unapproved or compromised software
- Reduced ongoing concern around compromised package monitoring in third-party registries such as NPM
“StepSecurity is critical for filling in the blanks with our GitHub security posture. They coverall the major shortcomings of the GitHub 3rd party actions ecosystem architecture in addition to many more security focused tools and features to make sure we’re secure.”
- Scott Carter, Staff 2 Engineer, WS1 Intelligence, Omnissa
Critically, the rollout had no major impact on day-to-day development workflows, enabling Omnissa to elevate its security posture while maintaining the velocity its engineering teams depend on.
“StepSecurity enables us to scale security enforcement across thousands of repositories by automatically generating consistent, policy-driven pull requests. This ensures a uniform security baseline without adding manual overhead.”
- Lynn Tran, Manager, Product Security, Omnissa
