The Challenge: finding and fixing vulnerabilities without causing slowdowns
DFDS has a rich history—from shipping freight and cargo 150 years ago to managing logistics operations across the globe today. DFDS consists of two major divisions: the Ferry Division, which moves freight and passengers across European ferry routes, and the Logistics Division, which offers transport and logistics solutions.
DFDS’s Logistics Division offers a variety of digital tools to its customers, such as services for tracking and tracing shipments in real time, simplifying customs clearance, and booking loads. Behind the scenes, the DFDS team employs over 200 developers to upkeep and innovate this suite of products.
When the DFDS team did a full audit of their development pipeline—including their applications and cloud environments—they uncovered significant gaps in security visibility. In addition, they found varying levels of security maturity across their organization. Some teams had better observability of their vulnerability count and a good grasp of application security, while others did not. Each team also used its own mix of open source and commercial tools rather than taking a standardized approach to security.
The DFDS team needed a new solution for facilitating consistent security practices across the company. But, it was also important to them that these controls didn’t restrict or slow down the developers.
“It turned out the biggest risk was the lack of observability of our supply chain.” said John Smith, Domain Architect - SecOps. “We found in different teams and different tribes—it was all a different level of maturity.”
The Solution: Snyk Open Source and Code
The DFDS team decided to use Snyk Open Source and Code across their development groups, enabling them to secure both first- and third-party code. They chose Snyk because it was simple to implement and included robust reporting features.
"So with many of the alternatives that we found, you were still having to put a YAML file or a conflict file in each repository,” explained John. “Now, the biggest problem is if I go to the product owners and say, ‘I need you to write an issue or a PBI for every single repository,’ they’re going to tell me that they haven’t got time. Because Snyk doesn't have that barrier, I was able to craft a rollout process that didn't require any intervention with the product owners.”
The DFDS team also appreciated that Snyk could serve as a “security companion” for each developer, regardless of their level of expertise. They started leveraging SnykLearn from within the platform to facilitate better security awareness.
According to John, “The important message was to get people to understand—or at least start thinking about— applying a security mindset in the sprint. And also thinking to themselves, ‘...let's look at the data we've got currently, and let's try and get the worst offenders down’.”
The right tools and training for security success
After implementing Snyk’s first- and third-party code solutions and using SnykLearn for developer education, the DFDS team saw more general interest in security remediation, with developers going the extra mile to find and fix vulnerabilities. Application security went from an overwhelming, unaddressed issue to an achievable and exciting initiative across the development teams.
“Since implementing Snyk, we're getting a lot of questions around, ‘What's this? What’s the CVE? What's MITRE?’ said John. “So people are actually starting to read the vulnerability details in Snyk Learn and trying to understand, for example, what SQL injection is. And that shows that with Snyk, we're indirectly starting to create a culture of curiosity. And a culture of curiosity around security is great because if we can take that curiosity and turn them into a security champion, then you've got influence within a team.”
The Impact: Decrease in vulnerabilities and increase in curiosity
After adopting Snyk, the DFDS team has reduced 50% of all vulnerabilities to date. And as of a few weeks ago, they reported zero critical mature vulnerabilities. Next, they plan to embed Snyk more deeply into their development teams’ native IDEs to encourage continued tool adoption.
“Because [the developers] have got the quality gates and they’ve done the security sprints, they can focus a lot less on critical vulnerabilities in their day-to-day.”
Thanks to Snyk, DFDS can take a proactive approach to security, enabling developers to release future offerings and updates with both speed and security.