Skip to main content
Customers

Atlassian

How Atlassian delivers Snyk vulnerability insights to thousands of developers

Customer Spotlight

Will Ratner

Senior Product Security Engineer

Sharada Moorthy

Senior Product Security Engineer

Chris Walz

Senior Security Engineer

Matthew Bass

Product Security Engineer

Industry: Tech
Location: Australia

Highlights:

Surfacing Snyk scanning results to 3,500+ developers

Running 5.5 million SCA tests using Snyk Open Source

Scanning 100% of containers deployed across the organization with Snyk Container

65% reduction in high severity container vulnerabilities within a few months

Fewer false positives reported than other scanning solutions

Ensuring compliance with SOC 2 and other regulatory requirements

The Challenge: Scaling security scanning across the organization

As Atlassian has grown to over 200,000 customers and 2.6M+ community members, application security has become even more critical for reducing the company’s risk exposure. As Atlassian scales, they want to ensure that their tools are safe and compliant with industry regulations, so they partnered with Snyk due to their proven ability to empower developers to both own and build security into the entire application.

We were using our previous tool as a stopgap for container scanning on our Trello product, but we needed a product that could scale,” explained Will Ratner, Senior Product Security Engineer at Atlassian. “That meant we wanted a product where we didn’t have to manage our own infrastructure and that offered developer-friendly data for easier vulnerability remediation.”

The Solution: Rolling out Snyk to thousands of developers

After evaluating multiple options, Atlassian chose Snyk Container because the company could scale container scanning across its products and development teams without managing its own infrastructure. Since 99% of the services at Atlassian are deployed on containers, Snyk can help ensure the security of all software across the entire enterprise.

“We mainly started evaluating Snyk to find a good substitute for our existing container scanning tool,” explained Sharada Moorthy, Senior Product Security Engineer at Atlassian. “We wanted to switch over to a platform that could scale to our other products.”

In addition, Snyk Open Source enables Atlassian to scan its open source dependencies for vulnerabilities. Since Atlassian wanted to scan the individual repositories in each build environment, Snyk was able to roll out a new bulk scanning feature to accommodate the request. This new feature has become an integral part of Atlassian’s dependency scanning workflow.

“One of the main benefits of Snyk is that it’s easier for developers to integrate into their pipelines as well,” stated Matthew Bass, Product Security Engineer at Atlassian. “In the case that our centralized scans aren’t enough, we can give developers actual steps to integrate SCA scanning themselves.”

Snyk delivers usability & actionable insights

The usability and efficiency of Snyk were also key reasons Atlassian chose the solution. Instead of integrating Snyk into every development team’s CI/CD pipeline, the company automatically scans containers and dependencies during deployment events and surfaces the insights to thousands of developers through remediation ticket requests.

Once a project is scanned, Atlassian’s security team creates tickets for any vulnerabilities that developers need to remediate. The metadata that Snyk provides – such as severity, priority score, and more – helps the company efficiently remediate the most critical vulnerabilities first and avoid wasting developers’ time with low-risk vulnerabilities that may not even have a fix available.

“Besides usability, the quality of the findings we’re seeing is a major benefit,” explained Chris Walz, Senior Security Engineer at Atlassian. “Compared to other scanning solutions, Snyk reports fewer false positives or issues that aren’t actually vulnerabilities.”

The Impact: Dramatically decreasing open vulnerabilities

In the past, Atlassian only had a very small coverage of container scanning for one product, but the company has since reached 100% coverage across the entire organization. More importantly, Atlassian has decreased its high and critical severity open container vulnerabilities by 65% and 39% respectively in just a few months.

“We’re now accounting for all containers that have been deployed to make sure they’ve all been scanned and that tickets are created to fix any vulnerabilities,” explained Ratner. “We track these metrics at a leadership level to make sure our container and SCA scanning capabilities are effective.”

As of today, Atlassian has run 5.5 million dependency scans and scanned 3.7 million containers using Snyk. With the successful rollout of container vulnerability remediation and the large reduction in vulnerabilities in just a few months, Atlassian plans to start creating fix tickets for the Snyk Open Source findings next.

“It’s been great to see Snyk start adding additional features and improving documentation to help us out,” Ratner concluded. “The implementation process has been strong and we’re getting good results and developer feedback for Snyk compared to other scanning tools.”

About Atlassian

Atlassian is a leading provider of team collaboration and productivity software including Jira Software, Confluence, Trello, and Bitbucket.