Highlights
78% reduction in critical vulnerabilities over the past 90 days
97% of issues found were fixed within the last 90 days
Reduced their mean time to fix by 40%in the last 90 days
100% developer adoption of Snyk
The Challenge: Improve code visibility, prevent new vulnerabilities
As a company in hyper-growth mode, Glovo sought to implement tooling that would help provide increased visibility into its own massive code base. There was also an aggressive push internally to shift security left and prevent new vulnerabilities earlier in the SDLC in its dependencies and code.
“We needed to fulfill these requirements, but do so in a developer-friendly way that wouldn’t disrupt the workflows of our 650 developers,” said Marcos Valle and Matias Gagliardi, Glovo’s Security Engineering Manager and Security Engineer.
The Solution: Snyk offers diverse capabilities and easy integration
After a lengthy internal assessment process, Glovo determined their biggest priorities were to get a clearer view of their software bill of materials and prevent new code and dependency vulnerabilities.
Initially the team was only considering Snyk Open Source as Security Engineering Manager Valle used this solution in the past. But as the team learned about the Snyk Code product for proprietary code, they started to view Snyk as a full platform that supported all the capabilities Glovo was seeking.
“Snyk provides multiple solutions in the same package, which was a major advantage for us,” explained Valle. “Expanding to IaC or Container scanning in addition to Open Source & Code would give everything in a single place in a single panel integrated with our systems.”
This smooth integration with Glovo’s existing technologies – including GitHub and Jira among others – was a stand-out Snyk feature during evaluation. The Glovo security team also highlighted Snyk’s IDE integration plug-ins as a benefit no other evaluated solution could provide.
“Snyk’s integration with our tech stack was simple,” said Valle. “Our team was smaller at that time and we needed a solution in place as soon as possible, and Snyk’s integration was superior to other solutions we analyzed.”
The Impact: Fewer vulnerabilities and more security-minded devs
The primary metric Glovo has been measuring since implementing Snyk Open Source and Snyk Code in July 2021 is the number of new high severity and critical severity vulnerabilities. Vulnerability metrics using Snyk this year show huge improvements.
Over the past 90 days, the Glovo security team has reported that 6% of Glovo's pull requests contained high or critical vulnerabilities (Glovo was able to leverage Snyk to prevent those vulnerabilities from being merged into their code). As a result of this and the team's remediation efforts, the Glovo security team has reported a 78% reduction in critical vulnerabilities in its dependencies and code using Snyk. Furthermore, the team has achieved a 40% reduction in their mean time to fix, demonstrating overall that they're able to ship more secure code faster.
In addition to successful metrics, their vulnerability reports that can be split up for different perspectives such as per team or per project. Snyk’s clear and transparent vulnerability reports, as well as onboarding tools such as Snyk Learn and Snyk’s Stranger Danger events, have helped Glovo onboard developers. Glovo has achieved 100% developer adoption of Snyk.
“These resources helped onboard developers into the Snyk tool while also educating them about security best practices,” said Valle. “The feedback from the security champions on our developer teams has been 100% positive.”
