The Challenge: visibility into the software supply chain
Handshakes empowers companies across Asia to make safe, informed business decisions with its award-winning due diligence insights solution.
Because the Handshakes team works with high-profile clients in finance, government, etc., they knew it was essential to improve their security posture and keep up-to-date with compliance requirements. The team mainly wanted better visibility of their overall security, including vulnerability counts. They knew their developers, security members, and c-suite all needed access to a view of the company’s entire threat landscape, including risk in open source, 1st party code, infrastructure-as-code (IaC), and containers.
The Handshakes team previously used some security tooling. However, these solutions did not provide deep insights into code security or offer a comprehensive suite of end-to-end software supply chain protection. As a small organization with limited security resources, Handshakes needed a straightforward way to access reports from a single platform. They also wanted seamless workflows for both the development and security teams.
"[We needed] visibility into a couple of things,” explained Kenneth Ham, CTO at Handshakes. “One, for the developers; we wanted to have that mindfulness, that ‘you cannot just code and then push things without having developer security in mind’… The second, of course, is for the cybersecurity team. They need to know, ‘what is my threat landscape — within the organization and externally?’... the last, biggest visibility is my reporting to the respective c-suites.”
The Solution: Snyk’s Developer Security Platform
To consolidate reporting and monitoring across their entire software supply chain, the Handshakes team tried Snyk’s developer security platform.
They decided on Snyk because of the value the platform provides. Rather than only focusing on a single part of the SDLC (e.g., only IaC security, SAST, or SCA), Snyk provides a single pane of glass. The platform reports on vulnerabilities across Handshakes’s entire environment without requiring the development and security teams to switch contexts.
"We wanted to remove that confusion, especially with a team that is young and small," stated Kenneth Ham. "We don’t want to complicate their lives too much — there are so many tools to choose from."
Snyk also integrated easily with Handshakes’s existing development environments, including its multi-cloud ecosystem (Azure and AWS) and a CI/CD pipeline powered by Azure DevOps, GitHub, and Jenkins.
When considering which security tool to adopt, Kenneth Ham asked, “How do we bring security awareness into the supply chain mentality, where it starts right off with your source code — it doesn’t start when you ship…which means developers must be involved, my PMs must be involved. Naturally, then, Snyk became the top-of-mind choice. We know that supply chain activity starting from the source code is now protected, and is now given visibility and control.”
Tool consolidation for security program success
After successfully consolidating their security tools into Snyk’s single platform, the Handshakes team saw a 42% increase in developer adoption over five months. They plan to continue this tool adoption by implementing a security champions program for their development teams.
“My security team is working with my learning and development team to form up a security champions program… educating everybody on what shift left means… how do you protect yourself, how do you build your own defenses, and eventually, how do you become a champion… in terms of adopting Snyk?”
The Impact: Significant decrease in software supply chain risk
Since adopting Snyk, Handshakes has drastically improved its supply chain risk management. In the past five months, the team has reduced critical vulnerabilities in their environment by 99% and decreased vulnerable projects by 80%.
Because they now have end-to-end visibility into their entire software supply chain, the Handshakes team can continue bringing down their vulnerability count and increasing developer adoption. And since their customers highly value security, they hope to eventually tie their security successes back to general business metrics such as customer acquisition.
“The Handshakes team really enjoys working with the Snyk team. It has been quite a smooth journey in adoption and an overall good partnership.”