The Challenge: Introducing Risk Management Into Development
Asurion is an insurer of consumer electronics that enables its customers to protect, repair, and replace their devices like smartphones, tablets, appliances, and more. The company has a team of over 10,000 experts that help 300 million customers solve technical issues around the world. Delivering a great customer experience at this scale requires a fast-paced and agile development environment.
While Asurion's entire business model was built around risk management, they still needed to introduce risk mitigation into their development processes. The company has been scaling fast using a wide range of tools and technologies, but its business leaders had growing concern for the lack of ownership over technical debt and security throughout the organization.
“Product teams at Asurion have been afforded relatively free rein to choose their application stacks and supporting infrastructure,” revealed Jeremy Young, Principal Security Engineer at Asurion. “While this free reign leads to happy and fast-moving engineers, this freedom can also create a number of management and operational headaches.”
The Solution: Building a Developer-First Toolkit
In the past, security struggled to keep up with product development at Asurion, which led to a lack of visibility and a reactive approach to risk management. That’s why Asurion built a toolkit that easily connects off-the-shelf software with the various continuous integration (CI) engines used by different development teams.
“We've always lacked complete visibility into our products and have compiled a litany of third-party software to fill in the gaps,” Young explained. “However, these third-party software solutions have failed to integrate with our tooling, which created distrust between security and product teams. We needed a developer-focused security tool like Snyk.”
Asurion’s product security toolkit, built with Python, is a containerized set of scanning processes powered by Snyk that developers can plug into any project that runs containers. Now developers can get started with security scanning by simply running the toolkit container and immediately begin collecting critical data and insights related to product security.
“Our toolkit generates a lot of data from the code we scan with Snyk,” Young added. “That data has some immediate use cases—especially around tracking the retention of teams using our toolkit. These insights spawn conversations between security and our teammates to identify opportunities for continued growth.”
Choosing Snyk Security Scanning
Using a developer-first approach for adopting new tools and technologies has been instrumental in Asurion’s rapid growth. That’s why the company selected Snyk, which has a reputation for being developer-friendly and straightforward to implement. Snyk easily integrates throughout Asurion’s CI/CD pipeline with tools like Artifactory, Jenkins, Kubernetes, AWS, and more.
“Developer-first tooling—like that provided by Snyk—that is driven by well-documented APIs, has made building our toolkit much simpler,” Young explained. “This provides visibility into software composition analysis, container image and vulnerability scanning, security-focused regression testing, secret scanning, static analysis, and even infrastructure-as-code scanning, all in a single place.”
The Impact: DevSecOps As a Partnership
With its new toolkit, Asurion now has complete visibility into product security. Snyk makes critical security insights available early in the development process so that engineers can remediate the issues before code reaches production. Moreover, the product security team can enforce policies and best practices like requiring datastore encryption in the cloud or disallowing high-severity issues in public-facing products from reaching production. This is a true DevSecOps approach to product security.
“Instead of statements like ‘Look what the developers have done now’, we say things like ‘How can we help?’,” Young said. “Having empathy and being a good partner is much more productive and builds long-lasting relationships that help us get real work done. At Asurion, that’s our product security approach, and Snyk helps us make it a reality.”
While Asurion doesn’t require its developers to use the toolkit, support has grown because of the value it provides. Through lunch-and-learn sessions and private demonstrations, Asurion has been able to organically build a community of users for its toolkit amongst its development teams. This partnership between the product security team and “security mavens” on development teams, has made security a key part of Asurion’s culture.
“Mentorship builds relationships and camaraderie, which is key to our ongoing success,” concluded Young. “That means security is no longer perceived as a roadblock, but instead, as an enabler. Moreover, partners like Snyk have really jump-started our efforts to reach our security goals. Snyk has been a key tool in our toolkit for getting adoption from all development teams.”