We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityCase StudiesDevSecOps

Snyk chats with Shutterstock about building a DevSecOps culture

Brian PiperApril 2, 2021

While it’s relatively easy to buy modern security tools, the culture of a company can have an enormous impact on the successful rollout of new security processes. In fact, one of the greatest hurdles for implementing a DevSecOps approach to application security is company-wide adoption.

During a recent webinar, Simon Maple, VP of Developer Relations & Community at Snyk spoke with Christian Bobadilla, Director of Product and Application Security at Shutterstock about building a DevSecOps culture. Here’s a quick recap of the conversation.

The changing application development landscape

Cloud native computing has dramatically changed the way companies build software, and in turn, the speed at which applications are built and deployed. Before cloud native application development, most development teams focused solely on the custom code they wrote and the open source libraries they were using. Developing modern software, however, puts more responsibility on developers than ever before.

“Developers used to focus on the code in their IDEs and the dependencies that their build systems pulled in,” Maple explained. “Everything else that was part of the platform—whether there was any virtualization, hardware, networks, servers, VMs—all of that would typically be handled by an IT or operations team. This is changing with cloud native applications.”

As organizations undergo digital transformation and modernize their applications, developers are adopting microservices architectures, containerization, Infrastructure as Code (IaC), and more. That means development teams have a critical role in the deployment of applications as well, which is driving the need for developer-centric security throughout the entire development pipeline.

Introducing a security program

Since Shutterstock didn’t have a security team in the past, there wasn’t much of a security culture or mindset at the company. Introducing new security tooling in this environment would be challenging because developers would resist taking on additional responsibilities without support from security professionals. That’s why Shutterstock chose to build out a team and program to encourage developers to take ownership over application security.

“It’s always hard at the beginning because developers think security is just going to block them,” Bobadilla said. “But I prefer to think of security as an enabler to help developers build better and more secure applications. I think reinforcing why we need application security is important for getting development teams on board with new security processes.”

Breaking down the developer to security barrier is difficult, but getting developers interested in AppSec is an essential initial step. That’s why Shutterstock created events and games to make security more fun. When security was first being introduced, these events got more people within the organization thinking about security and helped the security team build rapport with developers.

Choosing developer-friendly tooling

Scaling security is another major AppSec obstacle because many organizations have small security teams. For example, Shutterstock has a team of 13 security professionals, with just two focused on AppSec, but more than 400 developers distributed across numerous teams and projects. That’s why choosing the right developer-friendly tooling to implement new security processes is crucial for reducing friction.

The best tools for adoption are those that fit seamlessly into existing developer workflows and are easy to use. While Shutterstock was already using Snyk for security scanning prior to forming a dedicated AppSec team, developers were choosing to ignore hundreds of vulnerabilities. Shutterstock discovered that enabling developers without support and governance hindered application security in the long run.

“We can’t just give developers a list of vulnerabilities,” Maple said. “We need to empower developers to not just find issues, but have the insights, knowledge, and tooling to fix them. The security team also needs to provide guardrails and policies to support developers along the way.”

Scaling AppSec with small security teams

Detecting vulnerabilities isn’t enough to improve the security posture of most organizations. Small AppSec teams likely won’t have the resources necessary to fix every issue, so they’ll need additional involvement from development teams early in the software development lifecycle (SDLC) to maximize efficiency. That’s why security tooling needs to provide actionable feedback to help developers with remediation as well.

“With DevOps, we can now push things much faster into production,” explained Maple. “We need to make sure security is a part of that, and that we’re testing as early as possible all the way through to deployment. That’s why shifting left is a big part of DevSecOps.”

As you can see, adopting a DevSecOps approach to software development requires the right culture, tools, and processes. By choosing Snyk, Shutterstock had a developer-friendly tool that integrated closely with its development workflow, but the company still had a lack of education and awareness for security. Once Shutterstock’s security team introduced events to foster interest in security and implemented governance around security processes, the company was able to dramatically improve its AppSec posture. Implementing new security tools and processes is the easy part, but building a DevSecOps mindset can make all the difference.

Want to learn more about Shutterstock’s DevSecOps transformation? Watch the full How Shutterstock Implemented DevSecOps from the Ground Up webinar on-demand.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom