Skip to main content
Customers

CoinSwitch

How CoinSwitch implemented comprehensive vulnerability scanning with the full Snyk platform

Location: Bangalore, India

Highlights:

Highlights

  • Adopted full Snyk platform for comprehensive vulnerability detection and remediation

  • Seamlessly integrated Snyk with Bitbucket and other CI/CD tools

  • Gained immediate visibility into newly disclosed vulnerabilities like Log4Shell

  • 8x increase in adoption based on projects added in the last 3 months

  • 60% reduction in critical vulnerabilities over the last 3 months

The Challenge: Building a trusted investing ecosystem

The company started with a cryptocurrency exchange aggregator platform supporting over 275+ coins and 45,000+ currency pairs, but has since developed its own exchange and plans to launch other Fintech products in the future. Over the past few years, the company recognized that application security fosters trust with consumers and started building an internal security team to improve the security posture of its software.

_“One of the key initiatives was to make sure we have our own SAST [static application code analysis] and SCA [software composition analysis] tools up and running,”_stated Akshit Sharma, Senior Software Security Engineer at CoinSwitch Kuber.

The Solution: Implementing Snyk’s entire vulnerability scanning platform

CoinSwitch had over 50 developers that had been building its platform for the previous few years, but the company needed better visibility into its application security posture. That’s why its security team decided to implement Snyk Code, Open Source, Container and Infrastructure as Code to scan its application code, open source dependencies, containers, and Terraform infrastructure as code configurations.

“The idea was to first identify and quantify where exactly we were,”_Akshit explained. “Then we would know the backlog we were sitting on and the next steps we would need to take.”_

Akshit had experience with other vulnerability scanning tools and knew the challenges with them, particularly around speed and false positives (identifying potential issues that aren’t actual vulnerabilities). They decided on Snyk because it has a significantly lower scanning time and produces much fewer false positives, which reduces the friction when integrating the tool into developer workflows.

“As far as onboarding, everything went very smoothly,”_stated Sasikumar Thirugnanam, Partnerships Manager at CoinSwitch Kuber. “It was a great process and the Snyk team is easy to get in touch with.”_

Shifting security left with Snyk

Implementing Snyk has helped CoinSwitch improve its application development processes. In fact, CoinSwitch was able to easily integrate Snyk with Bitbucket Cloud, Jenkins, AWS CodeBuild, and other tools within its continuous integration and continuous deployment (CI/CD) pipeline. This has been crucial for the company to consider security earlier in the software development lifecycle (SDLC) and reduce its mean time to fix for new issues.  Snyk's free native integration with Bitbucket Cloud is another time-saver for CoinSwitch developers, who are able to build, test, and release secure software faster - all without leaving Bitbucket Cloud.

“In order to shift left, we need to create an environment where security is built into the SDLC,”_Akshit explained. “We want to embed Snyk checks at each and every place, leveraging all the integrations Snyk provides.”_

Moreover, CoinSwitch has configured Snyk to “break its builds” when critical issues are discovered during development. This prevents new vulnerabilities from being introduced going forward, which Akshit says makes security “built in” instead of “bolted on.” By stopping the flow of new vulnerabilities, CoinSwitch was able to focus on reducing the number of security issues within its backlog.

The Impact: Dramatically improving application security

Within a matter of months, CoinSwitch was not only able to gain visibility into the security posture of its applications, but was also able to begin fixing the critical and high severity issues discovered. The company has already remediated over 95% of the critical security vulnerabilities within its software since implementing Snyk and 60% in the past 3 months.

Now that CoinSwitch has the right tooling in place, the company has taken its first step towards improving application security and understanding the risks associated with its software. For example, when a new vulnerability like Log4Shell is disclosed publicly, Akshit can easily analyze whether their software is impacted. CoinSwitch’s goal going forward is to continue educating developers more deeply about application security and to further shift security left in the development process.

“There has to be a set of processes and there should be awareness of security across the organization,”_Akshit concluded. “This takes some time, but it starts with taking one step at a time towards the end goal of being on top of security.”_

About CoinSwitch

CoinSwitch Kuber is India's largest cryptocurrency investing app, enabling over 18 million users to buy and sell Bitcoin and other cryptocurrencies instantly. CoinSwitch's primary mission is to create a simplified ecosystem for investing that is accessible for everyone €“ and a key aspect of this is trust.