The Challenge: Enterprise-level visibility into open source vulnerabilities
Form3 has been using Snyk since 2018. It was at this time that they recognized the need to improve visibility into potential vulnerabilities in code dependencies and needed an enforceable way to prevent those problems from making it into production.
Dedicated to ensuring the safety and security of its customers’ payments, Form3 prioritized application security and quality assurance for their payment platform and software from the ‘get go’. The firm’s Chief Information Security Officer, Achilleas Pitsillides, recognized the need to integrate software dependency and vulnerability checks into the build process. This would enable their 100+ engineers to secure open source code, dependencies and container images. To ensure development time wouldn’t be impacted, the security team sought a simple solution that supported the developers’ preferred languages and development environments.
“Our security controls were improved by putting this solution in place” said Achilleas Pitsillides, CISO at Form3. “We wanted a solution that integrated dependency scanning into our existing build processes, but didn't slow engineers down in their daily workflows.”
The Solution: Developer-first approach led to an easy deployment and instant insight into security vulnerabilities
The application security team at Form3 was able to quickly integrate Snyk seamlessly into engineering workflows at the end of 2018. Snyk natively scans the engineering team’s 500+ repositories to detect vulnerabilities in their application source code and open source dependencies. Additionally, by analyzing and validating their code during pull requests, engineers can catch issues early on in their build pipelines to quickly and efficiently remediate efforts themselves.
“We evaluated solutions based on the number of languages supported and how easily we could plumb them into our existing workflows,” said Liam Galvin, Senior Security Engineer at Form3. “Snyk provided a nice CLI tool with the level of configuration we needed, making it easy to integrate with our automated builds.”
Snyk Container empowered developers to immediately fix crucial vulnerabilities
The Form3 team has already seen a change for the better in the workflow of developers when it comes to reviewing vulnerabilities. The addition of Snyk allows developers to immediately catch and fix crucial vulnerabilities. Additionally, Snyk Container scans images, preventing bad base or tool images from being pushed to their registries. In this way, Snyk helps developers ensure they have the most secure and streamlined base images possible by eliminating vulnerabilities. Snyk ensures images are monitored continuously, alerting developers when new vulnerabilities are discovered.
“Snyk helps engineers identify overloaded images from a vulnerability standpoint,” said Liam. “This secures the images we use and has improved our process overall.”
The Impact: Transparent security without slowing development
Form3 was able to implement security processes and policies that cause minimal interruptions to developers. Snyk integrates into their build process and helps prioritize vulnerabilities to accelerate remediation. This way, Form3 has gained complete visibility and improved software quality without delaying the time to market for innovative features their customers want.
“Since integrating Snyk with our build systems, we have improved visibility of vulnerable OSS dependencies across our 500+ repositories,” Achilleas explained. “Additionally, we're actively blocking PRs where new issues are detected on our repositories.”
Additionally, as a provider of critical technology to regulated firms dealing with confidential and personal information, Form3 must comply with GDPR and other governing regulations. Snyk helps the company’s ability to protect its systems.
“Form3 holds several certifications and are audited every six months by external bodies,” noted Achilleas. “Vulnerability management is a defined control for our certifications, and Snyk is one entity that helps us to satisfy and evidence these controls.”
With Snyk, Form3 was able to take an engineering-centric approach to security without slowing down deployment. The platform’s automated tools detect security vulnerabilities before code gets merged, Snyk along with other Form3 security controls enable Form3’s engineering teams to confirm that security has been validated before the application ever gets to staging or production environments.