The Challenge
The SBA outsources most of its software projects, with its contractors using multiple open source components. While there’s great freedom in using a variety of tools, the agency is still held to hard requirements around security. So they partnered with Snyk because of its ability to find and automatically fix open source vulnerabilities.
“The dev teams we contract with build apps using whatever languages they want,” explained Ryan Hillard, Systems Developer at SBA who oversees the systems that SBA runs in AWS (Amazon Web Services). “The reason we love the Snyk Open Source product is it gives us a greater level of intel on the various packages we’re using than any other solution we evaluated.”
The Solution: Implementing Snyk across diverse dev teams
The SBA was using customized monitoring software for application security. But it lacked the versatility to scan for vulnerabilities across SBA’s fleet of contractor development teams using different languages and technologies.
After evaluating a few solutions, the SBA tested out Snyk Open Source before quickly realizing that Snyk had the capabilities the SBA needed to integrate security into its development process and scan all its open source dependencies for vulnerabilities. Additionally, the SBA runs most of its systems and workloads using AWS Lambda, so Snyk’s compatibility with AWS was a big plus for the agency.
“Other solutions could tell you if you have high or critical vulnerabilities, but Snyk tells you if your vulnerabilities have been exploited in the wild and how well the vulnerability is being managed” said Ryan Hillard.
Hillard reiterated the importance of Snyk’s ability to detect if a vulnerability has been exploited in the real world. With contractor dev teams using a variety of coding languages and technologies, the SBA needs to prioritize its security decisions.
“We have more problems than people to solve them,” said Hillard. “Let’s say I have two critical vulnerabilities in an application. Snyk tells me one has a proof of concept out in the wild that they've seen exploited and the other is from an academic paper that was just published. Which one am I fixing? Snyk makes that decision easy.”
The Impact: Integrating security and helping devs work smarter
The main impact since implementing Snyk, said Hillard, has been that the SBA development teams now think about security tactically on a daily basis when they’re coding. Security is not a specialized practice; it’s part of the developer mindset.
“Our developers are now in the habit of checking the Snyk Advisor score on a software package before using it,” said Hillard. “It’s changed their behavior. They pause now before they type code to see if there’s an alternative package with a better Snyk score.”
The Snyk Open Source tool has also led to a process change within the dev teams at SBA. Prior to Snyk, developers would have to comb through hundreds of “vulnerability alert” emails. They would then have to triage the alert with the vulnerability listed, research it in GitHub, update the code and push the changes live.
“The time and energy this would take was gigantic,” said Hillard. “With Snyk, you get a Snyk alert in Slack. This sends you to a pull request that Snyk has cued up for you with the minimum version upgrade you need to remove the vulnerability. You test that pull request and deploy a new version of the application. That’s four steps compared to about 18 steps the old way. Snyk just works so much better with how today’s human developers do their jobs.”
While Hillard doesn’t obsess over Snyk metrics, he acknowledges the SBA is scanning 70 repositories using Snyk Open Source but aims to scan all 280 of its repositories by the end of 2022. By implementing Snyk, the SBA has started its journey to continually improve its application security posture.