Skyscanner fixed projects and gained visibility into their open source vulnerability exposure.

Ellen Van Keulen's avatar Ellen Van Keulen

Skyscanner logo

“Snyk is one of the most important security tools we use at Skyscanner. You’ll realise how important it is when you actually get it integrated.”

Alex Harriss, Security Engineer Skyscanner

Key Achievements

  • The Skyscanner legal team is now able to monitor their license compliance.
  • The Skyscanner security engineering team were able to empower the development team to take responsibility for the security of their open source dependencies.
  • The Skyscanner development team are able to prioritise fixing vulnerabilities using Snyk’s “merge request to fix”, reducing their security exposure.
  • Skyscanner was able to fix issues that affected multiple projects within days of setting up Snyk.

Challenges

Many teams will recognise the situation Skyscanner were in: delivering a high traffic website and app, developing rapidly and at scale , and all the while needing to maintain a secure platform.

Integrating Snyk allowed Skyscanner consolidated visibility into which dependencies their projects were directly or transitively using. The security team wanted to ensure that tracking down areas of exposure was as efficient as possible, as previously they had no centralised inventory to query which projects used which dependencies. Not having visibility and understanding of their current state meant that the Skyscanner development teams were not able to focus their efforts as much as they’d have liked to on effectively reducing their exposure to open source vulnerabilities.

Skyscanner’s legal team also had a significant challenge trying to track which licences were being used by the dependencies in Skyscanner’s projects. It is important to Skyscanner, as to most companies, to have a granular understanding of the licences in use across its products. This not only provides comfort that dependencies are properly licensed, but also gives greater scope to utilise software under less ‘permissive’ licenses where they are compatible with the use case, rather than operating on the basis of an overly restrictive blanket policy.

How Snyk Helped

Skyscanner went out to the market to find a tool that would fit into their development environment and methodologies. After assessing alternatives, Skyscanner decided that only Snyk matched their approach of empowering developers.

“We liked the fact that there is a multiple, layered approach. Snyk works well with how we do security here at Skyscanner. Instead of the security team being the gatekeepers and reviewing every line of code and sign off everything, we can empower our developers. We can place Snyk in the GitLab source code management so it’s scanning at commit time, and in the CI, so it’s catching things at build time. We can give our developers access to the Snyk portal but only if they want to. This layered approach allows engineering teams to make use of Snyk according to their needs and we [the security team] would know that we are able to catch vulnerabilities at some point along the way.”

Alex Harriss, Security Engineer Skyscanner

Snyk Open a fix merge request image

“If you are thinking ‘what’s our highest priority tool to adopt’, a dependency vulnerability scanner has to be high up on the list. Once you start using it you’ll see the full extent of your exposure and realize that you’ve got to do something about it.”

Alex Harriss, Security Engineer Skyscanner

The Snyk vulnerability database shows exactly which versions of a dependency are vulnerable and how you can remediate it. By using the Snyk remediation tools, such as the integration with GitLab and opening a merge request, Skyscanner’s developers were able to start fixing vulnerabilities in their code base by applying upgrades or Snyk patches.

The Results

Skyscanner today monitors nearly 500 separate projects with Snyk, and is able to understand the state of their security as well as address both their vulnerability and licensing issues.

Very early on in the rollout, Skyscanner was alerted to was a high severity vulnerability in QS which was used in one of their base project template. Their base project templates contain multiple libraries and are the basis of many projects. Skyscanner were able to use a Snyk patch and fix the vulnerability across all the projects. The effect was significant; hundreds of projects that used that base template were then protected, considerably reducing their security exposure.

3 reasons why Skyscanner swears by Snyk

“We’re two clicks from merging a fix for a vulnerability in Gitlab to being secure in production”

“Our developers love the integration with their existing tools”

“It easily integrates into multiple stages of the SDLC, so we know we are protected”

About Skyscanner

Founded in 2003, Skyscanner is a leading global travel search site, a place where people are inspired to plan and book direct from millions of travel options at the best prices. 70 million people use the travel search engine every month. Skyscanner employs over 900 staff, with offices in Barcelona, Beijing, Budapest, Edinburgh, Glasgow, London, Miami, Shenzhen, Singapore and Sofia. Skyscanner is part of the Ctrip group.

JVM Ecosystem Survey 2018

May 08, 2018

We’re excited to launch the a brand new survey called the JVM Ecosystem Survey 2018 in partnership with the Java Magazine. Also, if we reach 2,500 responses, we'll give $2000 to Devoxx4Kids!

Local Type Inference Cheat Sheet for Java 10 and beyond!

April 26, 2018

One of the main features in Java 10 in Local Type Inference, which allows us to substitute a type with the var reserved word in our source code. However, in order for this to become a feature that is useful to a developer rather than a feature developers will rue for many years to come, we need to learn how to use it and when to use it properly. This cheat sheet and blog is a reduced version of an blog post that Stuart Marks wrote on the OpenJDK site.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications