WillowTree roundtable: security for hypergrowth organizations

Modern software companies often provide many things at once. Their reach extends beyond a single product or service — and their security tools must match this pace. Our own Steve Kinman (Field CISO, Snyk) and Adrian Guevara (Head of Cybersecurity, WillowTree) recently held a roundtable discussion on the challenges hypergrowth organizations face with implementing code security in a rapidly moving space.

WillowTree is a digital agency that makes applications for a variety of high profile Fortune 500 companies. As an agency, “WillowTree deals with many languages,” according to Guevara. “One of the challenges we’ll talk about here is that it’s not one language, one platform, one product. We’re making products for companies and then handing these products off to them.” With many high risk projects being developed simultaneously, Guevara prioritizes balancing innovation with security consciousness within the organization.

During the roundtable, Guevara described his experience cultivating security best practices selecting a tooling set that fit WillowTree’s unique needs.

Shift toward security

When Guevara, who previously worked in auditing and compliance, stepped into his current role, “the clients didn’t really care” about the internal security measures WillowTree took. He went on to share that this has drastically shifted in recent years. “Now they want all the dependencies listed, they want to make sure you aren’t using GPL licenses, that you don’t have high profile vulnerabilities in the containers, libraries, and languages that you use.”

This interest in code security mirrored Guevara’s internal efforts over his six year tenure. When he joined, security mainly consisted of static scanning and — because it existed outside development processes — racked up high costs. As expanding security teams directly became difficult, the most efficient and effective way to improve security was by integrating it into development processes. Adopting a modern, agile development workflow was key for WillowTree. As Guevara explained, “we’ve made security the path of least resistance, so that’s the path they go automatically without us having to do much intervention.”

The adoption of developer-centric security started with WillowTree’s senior developers. By asking them to trial security tools and participate in the selection process, Guevara gave them a voice and a place to talk about their needs. He saw “winning over the senior group as the first step” toward a successful security culture.

“The senior developers’ opinions mattered more than mine, because if they don't like the tool they aren't going to use it.”

Adrian Guevara

The transformation from ''security wants us to do this” to “Adrian wants us to do this” was vital to bridging the gap between security and development teams as he shared. For security teams, humanizing yourself and describing the importance of your requests “changes the whole dynamic between you and the developer.” At the end of the day, developers and security professionals are all part of the same team. Communication and collaboration are a necessity for successful production, and that often starts with a team’s chosen tools.

Selecting a security platform

When Guevara began assessing developer security tools, he had three main problems to solve. WillowTree’s current security processes were too noisy, too slow, and unsustainable, since they existed outside the development workflow. Developers had to remember to check the security scans, which took a while to complete and produced an abundance of false positives, and then integrate the vulnerability reports into their workflow as needed — a step that was often forgotten in the hustle of development. This forced the security team to step in and mitigate the vulnerabilities themselves before passing the fixes back to developers to integrate into their sprint planning. With all of these steps happening each time, things quickly became unsustainable.

Snyk stood out during the trial period because our workflow mimicked the agile development workflow that Guevara was working to implement. Developers enjoy using good technology, and “because we had that, we got Snyk into the IDEs, we got Snyk into PR, we got Snyk into CI, and it just made things much more pleasant. I didn’t even have to train folks how to do it.  Snyk gave a better reason or direction on how to fix something and why that problem was there” said Guevara. For the WillowTree team, cultivating security knowledge and an understanding of why certain fixes were applied was vital to creating an engaged developer security culture. When comparing tools, Guevara “had about 20% engagement in their previous tool. I’ve seen that number jump to 90% engagement with Snyk”. Snyk’s intuitive, easy-to-use interface helped the team produce secure code more efficiently, citing a 58% faster mean time to fix. “On average, our time to resolve vulnerabilities was 60 days, now we’re down to 25.” stated Guevara. 

While the quantifiable improvements Snyk offered were impressive, they weren’t the deciding factor. For Guevara, “the reason I chose Snyk was the partnership.  The false positives and noise level went down and we already like the workflow, but am I going to have a good partner?” Many tools can scan for vulnerabilities and provide reports, but WillowTree’s growing security program needed a developer-centric partner that was willing to work with them moving forward. “The partnership was what really sold me. At the time Snyk didn't have all the language support, but through that partnership I raised commitments to get the languages we needed in and so far that has worked out.” said Guevara.

Security and innovation in balance

WillowTree has continued to grow rapidly over recent years. A series of expansions and acquisitions has raised their personnel force to 1,000 developers spanning 3 companies. Each of these companies have their own requirements and processes, and, as an agency, WillowTree often uses client tools and ticketing systems as well. Amid it all shared Guevara, “Snyk is the common thread binding all those projects together.” For Guevara and his team, Snyk serves as the foundation for cross-functional collaboration and has helped WillowTree develop and maintain practices to provide security in the fast-moving world of hypergrowth organizations.

Whether you’re an agency needing to meet a variety of client security standards, or an organization looking to increase code security in your internal teams, Snyk can help. Start your free trial today, or book a demo to see how Snyk can help you develop fast and stay secure.