We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityCloud Native SecurityDevSecOps

How Lunar shifted security left while building a cloud native bank

Brian PiperJanuary 20, 2022

At SnykCon 2021, there were a number of insightful talks from companies that were able to build successful AppSec programs. As the Lead Platform Architect at Lunar and a Cloud Native Computing Foundation (CNCF) ambassador, Kasper Nissen’s presentation was no exception. 

In this post, we’ll recap Nissen’s talk about how his security team at Lunar was able to shift security left while building a cloud native bank. He covers what it means to shift left, how to ensure ownership over a microservices architecture, how to empower developers through security tooling, and more.

Shifting from a fintech startup to a cloud native bank

Lunar began as a fintech startup that offered a mobile banking app built atop an existing bank in the Nordic area. In 2020, however, Lunar made the transition to becoming an official bank with its own banking license. That means Lunar is now a fully cloud native bank, serving customers in Denmark, Norway, and Sweden.

The challenge when we started was, how can we actually build a bank in the 21st century. That’s why we choose to run everything using cloud native technologies and a fully autonomous microservices architecture.

Agile cloud native security

Along with adopting a cloud native architecture using containers, infrastructure as code (IaC), and other modern technologies, Lunar recognized the need for a better approach to application security. According to Nissen, the company needed a way to be secure and agile at the same time, so that Lunar could be competitive as a bank without introducing security risks. 

Shifting security left — or implementing security earlier in the software development lifecycle (SDLC) — has enabled Lunar to improve the security of its microservices without slowing development. Prioritizing security was fundamental to Lunar’s transition from a fintech startup to a legitimate bank.

We shift security left, so we take things from the old waterfall model and do them earlier. Security is a thing that we constantly do, and get feedback on, and adapt and correct as necessary.

Transparent ownership over microservices

Since Lunar’s developers now take on more responsibility for the cloud infrastructure, the security team knew they needed to clarify who had ownership over each microservice. Using the Single Team Owned Service Architecture (STOSA), every microservice is managed by a development team, including its design, development, testing, security, deployment, monitoring, and more. 

In a STOSA organization, the team that owns that service is ultimately 100% responsible for all aspects of that service. At Lunar, we’ve been using this paradigm to build our infrastructure and platform because we’re empowering our development teams to take on this ownership.

Empowering developers through security tools

Lunar recognized that delivering secure software fast requires empowering its developers to handle application security within their existing workflows. That’s why Lunar ensures every developer is onboarded to security tooling that makes it easy to do the right thing by default.

Our developers are responsible for vulnerabilities within their services and the dependencies they use. We need to help them handle that responsibility, so we provide actionable advice, automation, and try to integrate with all the day-to-day monitoring tools.

For example, Lunar uses Snyk to automatically scan for security issues in dependencies and containers. By seamlessly integrating vulnerability scanning into the development process, Lunar is empowering its developers to take control of application security. That means each microservice is now secure by default.

In addition, Lunar uses the Snyk plugin with Backstage, a developer portal that provides visibility into cloud native software projects across the organization. Through Snyk, Backstage, and other tools, Lunar now has a clear audit trail into every change to the source code or configurations. This is critical for complying with the security requirements in the financial services industry.

Speed and security together

Since adopting the shift left security approach, Lunar has integrated security into a fast-paced development lifecycle. In fact, the bank releases on average 25 production releases in a day. The developers own their releases and ensure they’re following security standards with each new build. This streamlined approach has been instrumental in helping Lunar meet the compliance requirements for a licensed bank.

Make it easy to do the right thing and try to build in security wherever it’s possible. And when you shift left, provide actionable information to your developers so they can actually take on that responsibility and ownership.

Want to learn more about securing your fintech software? Learn how Snyk can help you disrupt the finance industry, not your developers.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Secure SDLC
  • Cloud Native Security
  • Cloud security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom