How SME lender New10 uses AWS and Snyk to deliver quickly and securely

July 8, 2019 | in Case Studies
| By Hayley Denbraver, Udi Nachmany

“Snyk simplifies our continuous delivery pipelines by directly integrating security. Now, our pipelines are shorter, and new applications and features go into production faster. Ultimately, this means we can deliver value to the business faster and more securely.” – Kirill Kolyaskin, Lead Cloud Engineer at New10

New10 is an online lender, leveraging the benefits of the most cutting-edge technology to offer a fully digital lending process to more than 1,000 customers.

The FinTech scale up has deep roots in the AWS Cloud and uses AWS for loan administration, risk comprising services, customer information services and analytical services. New10 chose Snyk to integrate security best practices directly into their development pipelines. In this case study, we’ll share how New10 has leveraged both AWS and Snyk to deliver value to their customers faster and with security always at the forefront.

New10: The New norm in business lending

When a small or midsize business applies for a loan through a traditional bank, it often has to deal with a lot of paperwork and weeks of waiting for a credit decision. On the other hand, online lenders and crowdfunds often have high interest rates, which create barriers for growth. New10 is set up to fill this gap for SMEs, offering a fast, simple and entirely digital lending process, low rates, and quality customer service. They have grown their business from zero to 1,000+ customers in just two years because of their innovation in the FinTech space.

How New10 leverages AWS

AWS enables New10 to scale their business with a small, seven-person DevOps team. With their business entirely in the cloud and primarily (about 80%) serverless, they are able to experiment quickly and easily. New10 takes advantage of the latest cloud-based technologies to bring useful new features to their customers with impressive speed.

New10 leverages many AWS services to accomplish their goals, notably in the areas of serverless (Lambda, Step Functions), databases (Redshift, Aurora and Dynamo), application integration (SQS, SNS and Kinesis), security and audit (GuardDuty, CloudTrail, Secrets Manager), and compliance (Config, SecurityHub).

New10 relies on Lambda to run their serverless infrastructure within a highly regulated environment. While some companies use Lambda only for certain tasks, New10 is all in. Kirill Kolyaskin, Lead Cloud Engineer at New10, explains, “We use it for everything. Our entire production workload runs on Lambda.”

New10’s commitment to innovation has enabled them to create a unique and user-friendly product powered by AWS technology.

The Challenge: Bringing security into the pipeline

New10 pays close attention to security and compliance,  taking data protection rules and best practices seriously. They understand that the potential consequences of a data breach or other security misstep are significant. It is New10’s job to run as securely as possible.

With a complex and cutting edge technology toolset on board, the team began looking for a way to incorporate security directly into their continuous integration and delivery (CI/CD) pipelines, no matter what language or technology was being used. They had already invested in security tooling, but many of the tools they used were language locked or difficult to maintain. None offered a single security solution that could become the standard for the entire company.

Their ideal tool would not slow down their DevOps processes, would integrate neatly into their AWS tooling, and align nicely with their developer first approach to software development. Specifically, New10 wanted to find a security solution that would integrate with AWS Lambda, AWS ECR and Gitlab CI to make security an essential part of their development circle. Snyk natively integrated with AWS services via IAM. As Kirill puts it, “Snyk fits our technology ecosystem.”

Why New10 chose Snyk

When organizations build in serverless in the cloud, there is no perimeter. All of your APIs and Lambdas are public by default. It’s key for an organization using serverless solutions to take all precautions to identify and resolve vulnerabilities wherever they may arise. Snyk began to search for a solution to this challenge.

Many security tools on the market do not offer standardization, meaning that different solutions must be employed to work with different languages or platforms. Additionally, many security tools do not offer deep, out-of-the-box integrations with the likes of AWS. In fact, even in 2019, many security tools are not cloud-native. This was not going to cut it for New10.

After doing some research, New10 conducted a proof of concept with Snyk using one of their development teams as a test case. They were surprised to find that Snyk was able to complete the proof of concept in record time. Most importantly, Snyk has IAM integration with AWS ecosystem.They were able to integrate directly with AWS Lambda, and developers can even use Snyk right within their feature branches.

“Snyk is one of our core building blocks. Developers can run it how and when they want within their pipelines. We give them a lot of flexibility and ownership.” – Kirill Kolyaskin, Lead Cloud Engineer

Out-of-the-box integrations

The team chose Snyk in large part due to its “out of the box” integrations with AWS, especially Lambda. You can add all your Lambdas into Snyk in a few clicks using the UI, or via the well-documented, developer-oriented API. Every time someone deploys Lambda, they can immediately see any relevant vulnerabilities. Developers are notified of these vulnerabilities and cannot forget to fix them. Kirill found this one of the biggest areas of return on investment, saying:“Because Snyk is so closely integrated with AWS, our DevOps team doesn’t need to spend their time on configuration. Instead, they can focus their time on getting new features out faster.” Snyk’s deep, out-of-the-box integrations with AWS were a game-changer for New10.

Making security seamless

As a DevOps team at a company with innovation woven into its DNA, New10’s engineers and ops pros are often excited to test out a new product or solution. That said, their CI/CD pipelines are a well-oiled machine, and they didn’t want to do anything to slow down productivity or hamper their ability to deliver services quickly and efficiently. For this reason, the team was pleased to discover that, not only did Snyk not slow anything down; in fact, the ability to integrate security checks directly into the pipeline actually helped them speed up delivery.

Kirill shared, “As with any new tool, the DevOps team was a bit worried about how we were going to transition with the integration. They were really pleased to find that it was smooth and integrated and didn’t slow them down at all.”

Plus, with less time spent on security, they could rapidly get back todeveloping innovative FinTech solutions.

A natural part of the workflow

As a dynamic FinTech company, practically everyone at New10 writes code, even the product managers. It was important to New10 that their security tool of choice be easy to use, regardless of who is using it and their familiarity or background in security. Now that Snyk is in place, everyone from developers to cloud engineers to data scientists uses it daily with ease. Snyk’s integration into tools like Slack and Gitlab.com, as well as the entire AWS ecosystem, means security has become a natural part of New10’s daily workflows—rather than an interruption.

Visibility for security leadership

From the vantage point of New10’s security officer, Snyk’s major benefit is that it makes it nearly impossible for developers to forget or miss vulnerabilities. Snyk also offers a high-level overview of all vulnerabilities, enabling their security officer to understand what needs to be fixed and who is responsible. Snyk helps the team decrease the backlog faster, and security leaders can see high-level trends that reflect how the dev team is managing vulnerabilities over time. This ensures better governance and oversight, and helps them comply with relevant rules and regulations.

Going beyond production

New10 is also unique in that they have a data science team in-house. This team is often writing non-production code. Fortunately, in part because this internal code is run on serverless infrastructure, they are able to use Snyk for it as well. The New10 team can rest assured that their entire environment is safe, whether it will touch a customer directly or not.

New10 + AWS + Snyk = A simpler pipeline

As an AWS-native and largely serverless young company, New10 has always operated on the bleeding edge of technology. Bringing Snyk and its tight integrations with AWS onboard, the team is able to bring the benefits of cutting-edge serverless technologies to the old-school world of finance. Snyk helps them shorten their development cycles with out-of-the-box AWS integrations and a DevOps-friendly approach to security.

As a result of their partnership with Snyk, New10 has reduced time spent on vulnerability scanning by 35% and dramatically Increased pipeline velocity.

Today, New10 is able to seamlessly integrate security into their CICD pipelines without slowing their team down. They are able to deliver new features and functionality to their customers faster than ever before, with the peace of mind that security has been tightly integrated from the very beginning. 

Snyk’s AWS integrations allow customers to monitor deployed code for any known vulnerabilities found in application dependencies, testing at a frequency businesses control. For each test, Snyk will communicates directly with AWS to determine exactly what code is currently deployed and what dependencies are being used. Each dependency is in turn tested against Snyk’s comprehensive database to see if it contains any known vulnerabilities. Snyk is an Advanced AWS Technology Partner.