The Challenge: Keeping sensitive health information safe
Ensuring robust security and data protection practices is one of the key priorities for the company given the sensitivity of the data they collect. Given the incredibly fast pace of product development, Flo Health needed a way to implement application security processes without slowing down its engineering team.
The Solution: Integrating Snyk into DevOps processes
When Flo Health decided it needed a security tool to gain greater visibility into application security during development, the company chose Snyk. The first step Flo took was to integrate automated vulnerability scanning with existing development tools. Through this effort, both security and development velocity has increased for over three hundred code repositories and six hundred containers.
“We have 15 development teams and they’re each responsible for their code and pipeline,” explained Dmitry Yackevich, Security Engineering Lead at Flo Health. “As the security team, we helped them integrate Snyk into their development lifecycle by providing documentation, examples, and basic images.”
After the initial success of adopting Snyk Container and Snyk Open Source, Flo implemented Snyk Infrastructure as Code to ensure a baseline level of security for over 20 AWS accounts using Terraform. Snyk enabled the company to set up consistent policies and automatically check these codebases for vulnerabilities.
“Snyk provides world-class customer service,” Leo Cunningham, CISO at Flo Health described. “This has covered various aspects, from producing tailored reports, to running education events, to developing materials for installations.”
Scaling Application Security During Hypergrowth
Since Flo Health is rapidly growing, introducing a security tool that slowed down its development teams wasn’t an option. In the past, Flo’s manual approach meant that fixes could take months to get back to the security team. With Snyk’s automated checks for every code commit, however, developers could immediately remediate issues within minutes without waiting on the security team.
“Prior to working with Snyk, our approach was to have external penetration testing every six months and to have an internal assessment every quarter, so we had quite a long feedback loop for finding and resolving vulnerabilities,” stated Yackevich. “With Snyk, we were able to change this approach and start to test these things continuously.”
Despite integrating security checks with Snyk, the number of code commits increased by 150% and deployment times remained less than a minute. By providing actionable security insights earlier in the development process, Snyk has helped Flo’s development teams shift security left and more efficiently remediate vulnerabilities on the spot when they’re discovered. As the company experiences rapid growth, the ability to improve security and development speed at the same time is essential.
“Partnering with Snyk was definitely a good decision for us because it’s not only about scanning, but also about implementing security in the right manner,” Yackevich added. “Snyk helped us establish a proper approach to security within our company.”
The Impact: Delivering security and speed together
After implementing Snyk, developers have gone from fixing five to ten security flaws per month to between 300 and 1900 fixes each month. Flo Health has estimated that matching the current volume of security fixes using the previously manual approach would require at least twenty new security staff members.
“With Snyk we’ve started doing security checks with each code commit,” said Yackevich. “This has definitely helped us shorten the feedback loop and shift security left.”
Snyk has enabled Flo Health to not only improve the security posture of its mobile app, but also to ship new features faster than before. Developers can now spend less time dealing with a backlog of security issues and more time building innovative features that drive the growth and adoption of Flo Health. This has led to an enormous boost to security while providing customers with a better, more secure product in less time.
“At Flo, continuous development of a security framework with a robust set of policies and procedures is of highest priority,” Cunningham concluded. “Given the deeply personal nature of our user’s data, we are committed to minimizing any potential security risks. Snyk has quickly become one of the most important security tools here at Flo. It is vital we have secure containers and infrastructure as code. Snyk scans all of our code pipelines in record time and captures items before they go into production, helping us shift left. All in all, Snyk has helped us to mobilize our security-first approach and allows us to do so at scale in record time.”
