The Challenge: Becoming a technology-first organization
While Acuity focused on offering subject matter experts (SMEs) to its customers in the past and continues to do so, the company is shifting towards delivering value through technology. As part of these efforts, Acuity is developing proprietary technologies and automated solutions, including its suite of Business Excellence and Automation Tools (BEAT). While transitioning to a technology-first company, however, Acuity realized the need to prioritize application security to give its financial services customers greater confidence in its technology.
“Security - whether it’s for data, platform, or infrastructure - is essentially job zero for the firm,” stated Sameer Goyal, Head of Engineering at Acuity Knowledge Partners. “Since we work with the financial services firms, there are several compliance and audit requirements that we need to take into consideration.”
The Solution: Introducing Snyk into the SDLC
As a technology leader, Acuity relies on a global team for developing its internal digital productivity tools, customer-facing self-service digital apps, and other digital services & software solutions. In fact, BEAT, the company’s research and development (R&D) department is made up of over 200 developers, test automation engineers, user experience designers, product owners, and other key personnel. While Acuity formalized its technology program over the past few years, the company recognized the need for an application security tool that could be integrated into its development pipeline across this large and growing R&D team.
“There are two ways of addressing security,” Goyal explained. “One approach is to build something and fix the problems later. The better option is to build security into the development process from the start. That’s why we chose to adopt Snyk.”
Snyk’s focus on developer-first security not only prevented issues from reaching production, but also made it easier for developers to adopt the security tool. Acuity was able to integrate Snyk into its build pipeline to automatically scan for vulnerabilities. This has eliminated manual effort and ensures that whenever a build is successful, it has fulfilled the security requirements for release.
“With Snyk, our deployment process from development to production has significantly shortened,” revealed Goyal. “We can deliver faster without having to worry about being off the mark for our security benchmark.”
Streamlined integration with Microsoft technology stack
Acuity’s technology stack is focused on the Microsoft ecosystem, so its developers primarily use the .NET framework and Visual Studio IDE to build applications. Snyk’s IDE plugin in the Visual Studio Marketplace and command line interface (CLI) made it straightforward for Acuity to integrate the scanning tool into its existing build process. Acuity can now use Snyk Open Source to detect and remediate vulnerabilities in third-party .NET packages.
“We’re primarily a Microsoft shop, so developers used Visual Studio to write code on a daily basis,” explained Goyal. “One of the main reasons we decided to go with Snyk was because the Visual Studio integration was available out-of-the-box. The security also fits in nicely with the other technologies in our ecosystem.”
Acuity also uses Snyk Infrastructure as Code to secure its infrastructure configurations. The company’s development and production environments run on hundreds of servers managed by Terraform on Amazon Web Services (AWS). Snyk can scan for vulnerabilities in Terraform files to ensure Acuity's environments are secure across all of these servers as well.
The Impact: Proactively Improving Security & Compliance
With the implementation of Snyk, Acuity is now able to stay on top of the security and compliance requirements expected by its financial services customers. The security tool has enabled developers to proactively improve the security posture of their applications without slowing down delivery. As Acuity shifts towards more containerized deployments, the company hopes to leverage Snyk Container to further secure its software as well.
“The speed at which Snyk updates its vulnerability database is a clear differentiator,” Goyal said. “I’ve seen other databases take weeks or even months to include newly identified vulnerabilities, but Snyk helps us stay current with security issues automatically.”