- Product innovation and vision: Asurion sought a partner that can adapt quickly to their product needs
- Developers choice: Snyk was chosen by Asurion developers for its ease of use
- Dev-first license compliance: legal policy was implemented easily
- Fix automation: issues are resolved quickly and accelerate security
“Our development teams love using Snyk, because it fits so naturally into the DevOps culture and processes. Snyk is DevOps-friendly and has spread from the bottom up throughout our organization.”
“We started using Snyk long before our contract expired on the previous tool. There were no questions. We had to switch over”
The challenge: Finding an adaptable security partner that can keep up with innovation
Like many of today’s technology companies, approximately 80% of Asurion’s code is open source. The team has invested in a variety of security tools to support their goals, including static code analysis tools for custom code developed in house. They had also previously invested in an open source security tool, but found that tool to be inadequate, as it failed to keep pace with both technological advancements and the requirements of the product security team.
The team knew they needed a new open source-specific security tool – one that seamlessly integrated into the software development lifecycle and one that developers could use on their own, without heavy involvement from the security team.
Given the high-growth nature of Asurion’s business, it was critical that they have an open source security tool that could keep up with their fast-paced environment. They needed something that was as adaptable, innovative and nimble as their business, yet designed to operate within the complex, microservices-based architecture they created to keep their data secure. Following a thorough evaluation process, that was largely driven by the security mavens working within the product development organization, Asurion selected Snyk.
The solution: Snyk was chosen for its fix automation and developer-first approach
Asurion chose Snyk as a partner because it’s a cutting-edge tool with the speed and scaling capabilities Asurion needed to support an open source code environment, while mitigating overall security risks. Snyk continually adds new dev-first features and tools, and constantly expands its industry-leading database of open source vulnerabilities.
Fix automation accelerated the remediation process
Additionally, the security mavens at Asurion chose Snyk for its automation capabilities, which enable the team to identify vulnerabilities, and in many cases resolve them with the click of a button.
Full DevSecOps with integration interfaces across the SDLC
Since their onboarding with Snyk, Asurion’s Security team has integrated the tool into their CI/CD pipelines, where it’s easier for developers to use the tool because it can run offline, a key factor in driving efficiency and speed of development. Snyk has also helped Asurion go the extra mile by protecting the full application lifecycle from code development to deployed applications, making DevSecOps a reality at Asurion, and acting as a true partner to Asurion’s teams.
“Snyk clearly understands today’s secure development culture and looks ahead to where we will be tomorrow. They are a valuable partner to empower us to deliver on our application security strategy.”
“It’s the only security product I’ve ever had, and I’ve been working in security for quite a while, that my development teams have actually said, they love.”
New open source vulnerabilities are discovered and published all the time, and it’s important to have line of sight to these issues early on. With the support of Snyk, Asurion is able to secure open source components at scale, by identifying both existing and new vulnerabilities on a continual basis, giving developers the information they need to address and prevent issues seamlessly within existing processes.
Developer-first approach for implementing license compliance policy
Additionally, with Snyk, Asurion can now create a bespoke license policy for their organization, setting the severity level of specific licenses and setting notification alerts based on specific criteria. In doing so, developers can verify that licenses are compliant and can take direct responsibility for license management, minimizing the time and resources needed from the legal team.
Security Mavens: implementing security across development teams
Security is an integral part of Asurion’s business culture. To enable this, Asurion’s Product Security team created a Security Mavens program – nominating champions of security within their development teams. Mavens are provided with extensive security training and work to uphold application security within the product development lifecycle. Asurion’s Senior Director of Product Security, Mark Geeslin, has been at the forefront of this effort and its success, alongside his involvement in the broader, global security community.