As the Helvetia team started moving away from an in-house development stack on their journey to the cloud, this required renewed focus on security requirements and as such, an overview of the risks they were facing by running their own written software on cloud infrastructure. They were managing their application security manually and included OWASP dependency checks and external security reviews. However, since there were a lot of new applications in their environment, the process was too slow. As they were developing software, they set up middleware and needed a tool to cover all the dependencies. They wanted to move from a mode of “protection” with late-state security testing to “detection” earlier in the SDLC, effectively shifting left. This required a tool to provide reporting in an automated manner. Additionally, their legal team wanted a solution that would provide visibility into license use on their software. The requirements for a detection software platform included:
- Automated reporting on:
* Vulnerabilities in used dependencies
* Lifecycle management
* License use
- An integration into the development cycle
- Native support for:
* Scanning container images
* Code dependency scanning
- Remediation information
- Integration with Kubernetes / Openshift
- Dependency scanning of their main programming languages
- Compliance with ISMS and ISO 27001
In order to migrate Helvetia’s runtime and development environments onto cloud infrastructure, the team knew its goal was to have an overview and health check of all the applications running on their platform. After evaluating over 20 vendors against their criteria, they realized they’d require mature platforms like AWS, Openshift and Snyk to build and develop the Helvetia Container platform.
Snyk was the solution that best fit their addressed needs, particularly with regards to lifecycle management and license management. Additionally, the Helvetia team found Snyk would be able to meet their key dependencies like support for Java/Maven, Typescript/NPM, Python and .NET. For developers they wanted a tool which they simply could use via a CLI and an integration in their IDE tool IntelliJ. Also important was the Bitbucket Server integration to scan repositories directly from Bitbucket. Ultimately the whole CI/CD integration was key to test each build and inform them when any of their internal requirements were being violated.
Moreover, Snyk’s pricing model allowed Helvetia to start small based on their number of users and scale over time. This was important since it accommodated their incremental shift to cloud so that as Helvetia grew, Snyk could grow with them.
Since implementing Snyk, the team can automatically detect lifecycle issues on their own written software and use Snyk reporting to check for certain dependencies. They’re also able to put used dependencies on a higher level of abstraction into their lifecycle management tool, LeanIX. This enables them to track usage of dependencies and identify end-of-life issues.
Their CTO requires that they complete a security test before an audit and while this can uncover a lot of findings, it also takes time to manage. But the low hanging fruit is now taken care of with Snyk and they can prioritize pen tests and audits for critical applications.
The Helvetia team now has transparency into the health of their applications and their development teams have the tools to better evaluate which third party components they’re using in their applications. This has enabled a continuous security approach. In Björn’s words,
“We need to have quality assurance during development which Snyk helped us achieve. We couldn’t have made it this far without a tool like Snyk.”
Red Hat OpenShift Integration with Snyk
Currently the team uses the Snyk Container / OpenShift integration to scan running container workloads and is working on defining architecture of applications running on OpenShift.
Since the team at Helvetia doesn’t have any cloud experience in AWS or Azure, they sought out a platform to inform them what their cloud provider is doing and how they are performing. They didn’t want vendor lock with their cloud provider and as Björn has said “Openshift provides this for us. We don’t have a lot of experience with containers and Openshift allows us to manage containers and security build-in which is really important for us as an enterprise.”
Openshift is one of the container runtimes that allows the team not to have to build themselves. In addition, Openshift provides a lot of benefits to optimize the developer experience. They can hide or extract some underlying cloud details from the cloudshift interface and not have to worry about what’s under the hood. This has alleviated any worry about libraries and databases and provided developers more transparency.