Kroger’s approach to supply chain security

Recently, Snyk hosted a wine tasting & customer discussion featuring David Imhoff, Product Security Leader at Kroger.  The discussion focused on tackling the challenges of securing digital supply chains.  

Kroger is a retail giant with 2,700 stores and 400,000 employees. The organization faces unique challenges because it operates on such a massive scale, adding complexity to its software supply chain and security. 

The wine tasting was facilitated by Purple Cork with wines from the Bibi Graetz winery. The winery is nestled in the foothills of Florence, operating out of a converted old hotel with a passion for aged and neglected vines and grapes from high elevations for a taste that highlights the purity of the soil and region. 

Shifting left with Snyk

To meet the challenges of securing its digital supply chain, Kroger has implemented a shift-left approach as part of its security strategy, using the full Snyk platform.

Shifting left integrates security practices early in the software development life cycle to integrate security practices seamlessly into the DevOps workflow.  This ensures that security is not a detached element but an integral part of the development and deployment process. 

In doing so, Kroger aims to navigate the complexities of its diverse technology stack efficiently, mitigating risk proactively rather than reactively. 

Working efficiently with Snyk

At Kroger, in addition to the shift-left approach, there is an emphasis on making it easy for developers to "do the right thing." 

Despite Kroger's vast scale, hiring hundreds of application security professionals isn't feasible. Instead, the focus is on leveraging tools like Snyk to maximize efficiency.  Kroger uses Snyk Code for cross-cutting visibility into issues and for a proactive stance on security.

Dave elaborated, “There's a lot of code. There are a lot of developers, and there are a lot of really complicated technologies that you constantly need to stay on top of.”

Overcoming software supply chain security challenges with Snyk

One of the biggest challenges to software supply chain security (SSCS) involves open source dependencies, constituting about 90% of all software. These dependencies span different programming languages, frameworks, and repositories.

Understanding the underlying risk in this environment is challenging — critical severity vulnerabilities in open source code constitute 60-70% of all identified vulnerabilities, underscoring the need for swift detection.

Kroger faces complex challenges in addressing vulnerabilities because of its scale and limited security personnel. Manually reviewing each developer's approved packages is impractical, yet recent surges in vulnerabilities underscore the importance of addressing these issues early, swiftly, and proactively.

Kroger is all about finding that sweet spot between developers experimenting with new packages and ensuring the codebase is rock-solid. Kroger's approach involves balancing security measures and developer autonomy, which is why Snyk is an excellent solution for them.

The toughest part about all this seems to be just the asset management and upkeep of all those dependencies you pull in. Most of the time, Snyk will realize that this is a weird package, and then if we see those downloads happening, we get a red alert.

- David Imhoff, Product Security Leader at Kroger

When developers at Kroger initiate a pull request, Snyk diligently scans for any irregularities or potential security risks in the proposed code changes. If suspicious open source package download activity is detected, alerts are triggered, functioning like an in-house security force for code integrity. 

David shared that Kroger recently identified a significant OpenSSL vulnerability, but was able to avoid exploitation because advance notice allowed for preemptive measures. This system allows developers the freedom to code without unnecessary constraints while continuous improvements and updates ensure robust security without impeding their creative style. 

Bottom line: engineering, security, and product teams must work closely together to ensure security. They should assess risks and adopt a risk-based strategy to address vulnerabilities specific to a threat's scope and criticality. This balancing act provides a proactive yet pragmatic response to emerging security challenges.

Looking ahead: Snyk, SBOMs, and AI

Kroger has effectively automated the SBOM generation process, leveraging the Snyk API to export SBOMs in a format that meets the new PCI DSS 4.0 compliance requirements. 

Kroger uses the SBOM as a dependency graph and is exploring its practical applications beyond vulnerability identification. Additionally, they are delving into SLSA and other guidelines for securing the build system while addressing challenges like AI governance and compliance with executive orders to remain proactive in the ever-evolving software supply chain security landscape.

Different teams have different security processes and tools that suit their specific workflows, making it challenging to ensure compliance. Snyk simplifies compliance with a unified developer security platform.

- David Imhoff, Product Security Leader at Kroger

The event wrapped up with questions about AI, particularly in light of the recent executive order mandating the disclosure of AI activities. Both presenters agreed that AI, the evolving threat landscape, and software supply chain security will keep them on their toes for the next few years, ending the talk with a live Snyk demonstration — you can watch it here. 

See why Snyk is the chosen security solution for developers and security teams—and what it can do for your team by scheduling a live demo today!