Marcin Hoppe is the senior manager of product security at Auth0. He leads the security team in closely collaborating with engineering to ensure secure code is deployed throughout the organization. As he describes it, the core of his mission is to help engineers at Auth0 build a more secure product.
To achieve this goal, rather than expecting engineers to become security experts, Hoppe and his team offer guidance and easy-to-use tools—including Snyk—to empower their developer counterparts to shift left; in other words, to bring security into the software development lifecycle early, often, and in an automated fashion.
Managing Dependencies and Mitigating Vulnerabilities
With a technology stack built on Node.js, which inherently includes many open source libraries and dependencies, Hoppe’s team often takes advantage of open source code and knew that dependency management can be particularly prevalent and hard to manage. They are focused on achieving visibility into the quality and security of the open source components they are using, and want to be able to see any risks that arise and address them quickly.
As Hoppe says, “My number one concern is discovering vulnerabilities faster than adversaries or malicious actors, while maintaining enough visibility into our open source supply chain to understand what we are pulling in. This way, we can react to risks appropriately and in a timely manner.” That’s exactly where Snyk comes in.
Why Auth0 Chose Snyk
Auth0’s security team realized early on that they needed a solution that would enable their developers to manage security in an automated and easy way. They chose Snyk because it was the most “complete and comprehensive” in helping them manage open source dependencies and mitigate risks, offering tools to help developers automatically find and fix vulnerabilities in open source code.
“The Auth0 team uses Snyk to make sure we are running on a secure foundation, no matter what.”
Identifying and Analyzing Vulnerabilities in Code
Auth0 needs visibility into vulnerabilities coming from all sources. Snyk helps them identify and analyze open source vulnerabilities and prioritize resolution. Previously, Hoppe’s team was using technical severity as the primary metric when deciding which vulnerabilities to resolve first. However, they realized over time there were better ways to prioritize.
For example, the team now analyzes whether a component processes customer data and whether the vulnerability has been identified by an outside, third-party source. These both serve as indicators that it is a higher-priority vulnerability. On the other hand, if a particular component is difficult for a potential attacker to access, it may be able to be deprioritized.
As mentioned earlier, Hoppe’s goal is always to discover vulnerabilities faster than outsiders, whether that is a customer or an attacker. Yet he does not want to slow down his development teams or forbid them from using open source components. Snyk helps the team balance these goals by identifying and managing vulnerabilities in all open source dependencies.
Snyk continuously tests for newly disclosed vulnerabilities, and dependencies are tested against Snyk’s comprehensive vulnerability database to provide clear and immediate information on the severity and prevalence of a particular vulnerability. This way, the development team can find and remediate vulnerabilities quickly without requiring frequent hands-on expertise from the security team.
Scaling Security by Integrating with Development Environments
One specific challenge that Hoppe’s team ran into was that, due to the nature of Node.js, command line security tools can be challenging to use. The security team stepped in and simplified the security process for developers by integrating Snyk into their development environment.
Specifically, Auth0 was running Docker containers, so the security team introduced a security container featuring Snyk right into the development environment. Now, every engineer can run Snyk and get the security information they need themselves, without having to deal with a challenging user experience around command line tools. In this way, the team has been able to scale security without having to dramatically increase the size of their security workforce, which can be a real challenge given the talent shortage.
Building Security Processes & Measuring Progress
An important responsibility of Hoppe’s team is to build security processes and offer tools (like the security container described above) that make it easier for developers to do their jobs. Whenever they see an opportunity to automate an aspect of security or make tools easier to use, they seize it.
Additionally, Hoppe’s team is tasked with measuring progress for teams at Auth0 who are working to improve their security posture over time. Right now, his team tracks the number of vulnerabilities resolved each month. They also track how quickly these vulnerabilities are resolved and how many have breached SLA.
Balancing Security and Business Requirements
Just about every organization out there must work to balance security requirements with business goals and needs. Hoppe and his team work closely with business stakeholders to prioritize security problems against business requirements and to balance the need to remain secure with the need to grow and be competitive in the market.
For engineers, it can be extremely hard to make decisions that involve security vs. business trade-offs, so Hoppe’s team serves an important role in liaising between these two parts of the organization. With tools like Snyk at his disposal, Hoppe can demonstrate to business stakeholders that his team is intelligently prioritizing security fixes and improving their security posture over time, while also keeping an eye on the bottom line.
Running on a Secure Foundation
Auth0 is a company with security at its heart, so it makes sense that they have embraced the importance of maintaining visibility into their security posture and a focus on continuous improvement. Backed by their partnership with Snyk, Auth0 has successfully balanced business needs with security requirements and continues to level up their posture as they embrace new, modern approaches to security throughout the entire organization.