The Challenge: Automating vulnerability scanning of a massive code base
As a massive tech company catering to 400 million users, Citrix’s 20 software products consist of millions of lines of diverse code to build and maintain. This makes application security vital for reducing risk exposure. When doing an inventory of potential vulnerabilities across its extensive software portfolio, Citrix’s product security team realized it needed more automation to help secure its code. They decided to partner with Snyk for its ability to scan code for vulnerabilities in an automated way across different programming languages.
“Our developers use virtually every language except COBOL and we use both cloud services and on-prem systems,” explained Rob Hather, Security Product Manager at Citrix. Valentin Potier, Security Engineer at Citrix further elaborated, “Snyk tested well in our diverse environment and ticked off more boxes than the other tools we were testing”
The Solution: Rolling out Snyk to thousands of developers
After evaluating multiple options, Citrix chose to implement the Snyk platform because it provided the most comprehensive coverage across the programming languages used by it’s 2,000 software engineers.
The main payoff of using Snyk Open Source is that it has helped Citrix secure its open source dependencies without disrupting developers’ day-to-day work. The Citrix security team also credits Snyk’s developer-friendly user experience as setting it apart from other solutions.
While Citrix primarily uses Snyk Open Source for vulnerability scanning, they have also run hundreds of thousands of tests over the past three months using Snyk Container to help secure their container images & Snyk Infrastructure as Code to secure its infrastructure configurations.
“For some tools you have to be a master of the tool to use it,” explained Potier. “But with the Snyk tool, whether you’re a developer or a manager, you can navigate the UI, understand the dashboards and make sense of the data.”
Another reason Citrix chose to deploy Snyk is that, for the first time, the security team could quantify the vulnerabilities across its massive code base. This gave the organization a quantifiable visibility and reporting capability to allow effective prioritization of remediation activities to reduce the overall risk profile of its software products.
“It’s hard to have good visibility into millions of lines of code,” said Hather. “We knew we had potential vulnerabilities, but couldn’t quantify it. Snyk gave us the capability to see the numbers for the first time. At that point we knew it was a slam dunk. We needed to use Snyk.”
Snyk scans catch vulnerabilities in the development pipeline
Citrix implemented Snyk in stages, at first scanning code in its SIEM integrations. The company then integrated vulnerability scanning throughout its development pipeline and during PRs (pull requests), eventually deploying Snyk on every piece of code pushed into production. Pipeline scanning, in particular, has become an integral part of Citrix’s dependency scanning workflow.
"Snyk scans have been huge for us in the CI/CD pipeline,” stated Hather. “You want scans done as soon as possible in the pipeline because with cloud offerings we’re doing releases everyday. Without scanning, you run the risk of accidentally introducing issues that can be pushed to your live environment.”
The Impact: Dramatically improving SDLC health
In the past, getting an inventory of code vulnerabilities and knowing when libraries needed to be updated was a time-consuming, manual process for the product security team. The Snyk tool has given Citrix clear and quick visibility into when libraries are out of date and potentially exposing code to vulnerabilities. As a result, Citrix has reduced its overall risk posture by 50%, with a 10% overall reduction in critical severity open vulnerabilities.
“Snyk has improved our dependency hygiene and the overall health of our SDLC,” explained Potier. “Developers are usually not aware of how they put their own product at risk by upgrading libraries too much or not enough. Snyk gives developers the metrics to plan ahead and not upgrade everything at once.”
Over the past three months, Citrix has run 4.7 million total tests (increasing by 204%) and its 60-day average time to fix all vulnerabilities is less than half the time of the industry average.
“The number of issues we’re identifying in our code has been falling,” Hather concluded. “We may never get to zero vulnerabilities as code is continuously changing to meet customer and security needs, but Snyk gives us a plan of action to get as close to zero as possible.”