Skyscanner fixed projects and gained visibility into their open source vulnerability exposure.

Skyscanner fixed projects and gained visibility into their open source vulnerability exposure.

Ellen van Keulen
| By Ellen Van Keulen

 

“Snyk is one of the most important security tools we use at Skyscanner. You’ll realise how important it is when you actually get it integrated.”

Alex Harriss, Security Engineer Skyscanner

Key Achievements

  • The Skyscanner legal team is now able to monitor their license compliance.
  • The Skyscanner security engineering team were able to empower the development team to take responsibility for the security of their open source dependencies.
  • The Skyscanner development team are able to prioritise fixing vulnerabilities using Snyk’s “merge request to fix”, reducing their security exposure.
  • Skyscanner was able to fix issues that affected multiple projects within days of setting up Snyk.

Challenges

Many teams will recognise the situation Skyscanner were in: delivering a high traffic website and app, developing rapidly and at scale , and all the while needing to maintain a secure platform.

Integrating Snyk allowed Skyscanner consolidated visibility into which dependencies their projects were directly or transitively using. The security team wanted to ensure that tracking down areas of exposure was as efficient as possible, as previously they had no centralised inventory to query which projects used which dependencies. Not having visibility and understanding of their current state meant that the Skyscanner development teams were not able to focus their efforts as much as they’d have liked to on effectively reducing their exposure to open source vulnerabilities.

Skyscanner’s legal team also had a significant challenge trying to track which licences were being used by the dependencies in Skyscanner’s projects. It is important to Skyscanner, as to most companies, to have a granular understanding of the licences in use across its products. This not only provides comfort that dependencies are properly licensed, but also gives greater scope to utilise software under less ‘permissive’ licenses where they are compatible with the use case, rather than operating on the basis of an overly restrictive blanket policy.

How Snyk Helped

Skyscanner went out to the market to find a tool that would fit into their development environment and methodologies. After assessing alternatives, Skyscanner decided that only Snyk matched their approach of empowering developers.

“We liked the fact that there is a multiple, layered approach. Snyk works well with how we do security here at Skyscanner. Instead of the security team being the gatekeepers and reviewing every line of code and sign off everything, we can empower our developers. We can place Snyk in the GitLab source code management so it’s scanning at commit time, and in the CI, so it’s catching things at build time. We can give our developers access to the Snyk portal but only if they want to. This layered approach allows engineering teams to make use of Snyk according to their needs and we [the security team] would know that we are able to catch vulnerabilities at some point along the way.”

Alex Harriss, Security Engineer Skyscanner

Snyk Open a fix merge request image

“If you are thinking ‘what’s our highest priority tool to adopt’, a dependency vulnerability scanner has to be high up on the list. Once you start using it you’ll see the full extent of your exposure and realize that you’ve got to do something about it.”

Alex Harriss, Security Engineer Skyscanner

The Snyk vulnerability database shows exactly which versions of a dependency are vulnerable and how you can remediate it. By using the Snyk remediation tools, such as the integration with GitLab and opening a merge request, Skyscanner’s developers were able to start fixing vulnerabilities in their code base by applying upgrades or Snyk patches.

The Results

Skyscanner today monitors nearly 500 separate projects with Snyk, and is able to understand the state of their security as well as address both their vulnerability and licensing issues.

Very early on in the rollout, Skyscanner was alerted to was a high severity vulnerability in QS which was used in one of their base project template. Their base project templates contain multiple libraries and are the basis of many projects. Skyscanner were able to use a Snyk patch and fix the vulnerability across all the projects. The effect was significant; hundreds of projects that used that base template were then protected, considerably reducing their security exposure.

3 reasons why Skyscanner swears by Snyk

“We’re two clicks from merging a fix for a vulnerability in Gitlab to being secure in production”

“Our developers love the integration with their existing tools”

“It easily integrates into multiple stages of the SDLC, so we know we are protected”

About Skyscanner

Founded in 2003, Skyscanner is a leading global travel search site, a place where people are inspired to plan and book direct from millions of travel options at the best prices. 70 million people use the travel search engine every month. Skyscanner employs over 900 staff, with offices in Barcelona, Beijing, Budapest, Edinburgh, Glasgow, London, Miami, Shenzhen, Singapore and Sofia. Skyscanner is part of the Ctrip group.