Depop rolls out an automated vulnerability management program using Snyk

Industry: Retail
Location: United Kingdom



  • Automating vulnerability management across numerous Scala microservices

  • Scaling security scanning to nearly 100 software engineers, scanning 100% of their code base

  • Managing full dependency lifecycle with Snyk Open Source

  • Securing containers and images using Snyk Container

  • Gaining confidence in deployments with Snyk Infrastructure as Code

  • Achieving near zero-day issue detection using Snyk Intel Vulnerability Database

  • Reduced the team’s mean time to fix by 43 days

The Challenge: Automating vulnerability management at scale

The company’s app has a microservices-based architecture built primarily using Scala, which means there are a lot of separate code repositories for each service with varying levels of active development. The problem was that the company had an ad hoc approach for managing dependencies and remediating new security vulnerabilities across these repositories. Depop’s team knew they needed an automated vulnerability management program that covered its open source dependencies, containers, and infrastructure as code (IaC).

×´There wasn’t really anything in place for managing the full lifecycle of dependencies,” stated Charlie Stocker, Security Engineer at Depop. “We also had an ad hoc approach where someone would hear about a new CVE or critical issue and then we’d fix it. This wasn’t scalable, so we needed something automated that gave developers the ability to manage this workflow themselves.”

The Solution: Creating a secure development process

When looking for a vulnerability management tool, Depop needed a solution that covered all of its technologies, including Scala. Since Snyk was able to seamlessly integrate with Depop’s existing development processes from the start, there was little friction for developers to take responsibility for application security.

Implementing automated security scanning enabled developers to receive up-to-date vulnerability information from the Snyk Intel Vulnerability Database, without seeking it out themselves. In fact, Snyk’s database brought Depop much closer to zero-day vulnerability detection, while the company’s previous solution revealed some issues months after they were discovered.

“We knew we couldn’t rely on developers to be interested in security,”_explained Pedro Borracha, Head of Information Security at Depop. “We needed a full workflow where everything was automated and we had visibility into vulnerabilities.”_

Snyk was also a natural fit for Depop because the InfoSec team knew it was important not to cause delays for the  development team while the company was scaling rapidly. A developer-friendly tool like Snyk – which didn’t introduce barriers to delivering software – was crucial for developer adoption. Unlike other security tools, Depop felt that Snyk was truly built for developers and offered a more convenient user experience.

“You can move quickly with security, but you have to find the right tools and processes,”_Stocker said. “We couldn’t add all these blocks and barriers that make it harder to develop software – because then developers just won’t use it. That was a key factor for choosing Snyk.”_

Integrating Snyk across the development lifecycle

Along with full coverage of Depop’s dependencies, containers, and infrastructure, the company wanted to integrate scanning across its entire software development lifecycle (SDLC). Depop was able to easily implement security measures at every stage of its software delivery process using the Snyk CLI and within 1 month, they were able to import all of their projects resulting in Snyk scanning 100% of their code base. This helped Depop build confidence in the overall security posture of its marketplace platform.

“All of our infrastructure is done as code,”_Borracha said. “Snyk was a great fit because we could do most things through the CLI, which was convenient for enabling our monitoring and auditing processes.”_

The Impact: Immediately improving platform security posture

After integrating Snyk into its development process, Depop was able to immediately detect and remediate thousands of vulnerabilities to improve its security posture.  In fact, the Depop team has run over 1,000,000 tests to date while reducing their mean time to fix by 43 days. Snyk enabled the company to scale a small AppSec team across nearly 100 developers by encouraging development teams to manage vulnerabilities themselves.

“We needed a tool that the developers wanted to use, as opposed to us doing all of the security work for them,”_explained Borracha. “We simply don’t have the capability to do that ourselves.”_

Depop also has much greater visibility into the security posture of its platform and hundreds of microservices-based code projects.  In fact, during the company’s recent acquisition by Etsy, there was already a lot of evidence from Snyk that proved Depop’s application security maturity. Snyk keeps a strong audit log trail available to users and offers in-depth reporting for full visibility into the vulnerability management process.

“Snyk had an immediate impact,” concluded Stocker. “We just started fixing lots and lots of issues and making vulnerability management part of our process and software development lifecycle.”

About Depop

Depop is a peer-to-peer fashion marketplace where its 31 million users can buy and sell used clothes from each other. The company's primary focus is inspiring people to live more sustainably by reselling and recycling their clothes through Depop's social marketplace app.  Depop was acquired by Etsy in July 2021.