How InVision Uses Snyk’s API For Real-Time Vulnerability Reporting

Highlights

  • Leveraged Snyk API to populate a real-time reporting dashboard
  • Built Go client library for accessing Snyk API and compiling custom reports
  • Created custom security reports that align with unique organizational model
  • Seamlessly integrated Snyk into existing AppSec workflows

The Challenge: Gaining visibility into application security posture

InVision is a leading digital product design and development platform built for collaboration across teams and geographies. In fact, more than 7 million people across tens of thousands of organizations use the platform to develop, prototype, and animate new digital products. Every day, designers around the globe use InVision for launching world-class customer experiences at scale.

With its platform continuing to grow as more companies embrace design-driven innovation projects, InVision wanted to streamline application security efforts and bring transparency into vulnerability management processes. While InVision was already using Snyk Open Source for third-party dependency scanning, the company wanted to centralize security information across numerous projects as well. The challenge was making this data accessible to engineering teams throughout InVision without additional manual effort.

“Our engineering managers had too many places to go to understand the security posture, so we wanted to put it all in one place,” stated David Epler, “Senior Security Engineer at InVision, So our team built a tool for our vulnerability management process, and Snyk was a core part of that.”

The Solution: Real-time Snyk reports at scale

Using the Snyk API, InVision automates its security reporting efforts for dependency management with static weekly reports and an on-demand dashboard. The on-demand dashboard leverages the Snyk API to conveniently pull large amounts of data in real-time, ensuring that engineering leaders have a relevant and timely understanding of the company’s application security posture.

If a service owner wants to know what the vulnerability state of the service is,” Epler explained, “they can now go to a single dashboard and see the Snyk information, the vulnerabilities we’ve found, and any other kind of security-related tasks or issues. The solution pulls all of this together in real-time.

More specifically, InVision wrote a Go library to access the Snyk API and pull information on a regular basis. The custom tool downloads all of InVision’s projects and issues once every hour, storing the data in memory for querying by other tools that compile custom reports. These custom reports are an invaluable tool for project and department managers to understand the potential application security risks at InVision.

“The API allowed us to pull the data from Snyk, but more importantly, it allowed us to do roll-up reports. These custom reports align closely with our unique organizational model consisting of zones and squads.”

Snyk API: Ease of Use

When InVision first sought out a security scanning tool, the company evaluated the APIs of several options, but found that Snyk’s documentation proved the most straightforward to implement. Manually downloading information for reports is time-consuming, but with the API, it’s easy to authenticate and aggregate data from multiple Snyk projects automatically.

“The API is pretty simple, and it’s very easy to get a large amount of data,” Epler said, “So you don’t have to make a lot of requests, especially now that Snyk added the aggregated issues endpoint. This made it much easier to build a comprehensive security dashboard for all of our projects.”

The Impact: Seamlessly managing organization-wide AppSec 

Since adopting Snyk, InVision can now identify and resolve security vulnerabilities for its third-party dependencies at scale. Moreover, the Snyk API enabled the company to seamlessly integrate security scanning and reporting into its existing AppSec workflows without additional ongoing effort. In the future, InVision hopes to continue using the Snyk API to improve the visibility into its AppSec.

“Our team does traditional AppSec like code reviews, but we also build tools for automation,” Epler said. “The Snyk API allowed us to integrate the Snyk platform as a part of our security program with automation rather than as a separate component to manage manually.”