The Challenge: Shifting security left in the manufacturing industry
The company wanted to improve its application security across its business units and vendors, so Komatsu made shifting left a strategic initiative for 2022. In addition, the team was interested in consolidating their tooling for a more seamless experience. With the help of Snyk, Komatsu is pioneering shift-left security in the broader manufacturing industry.
"We're in the process of incorporating the OWASP DevSecOps maturity model into our DevOps strategies." stated Eric Cheng, Digital Solutions Architect at Komatsu. "We chose to leverage Snyk and other practices to level up on the maturity model and bridge the gap between our current and future state."
The Solution: Adopting Snyk for open source dependency scanning
When Komatsu began looking for security scanning tools, they heard about Snyk from one of their vendors and decided to adopt Snyk Open Source for software composition analysis (SCA). This enabled development teams across Komatsu to find and remediate potential vulnerabilities within the open source packages they use.
A key factor in the decision to adopt Snyk was ease of use. It was very easy for Komatsu to get started by using the Visual Studio and Azure DevOps integrations to incorporate Snyk into its existing developer workflows and CI/CD processes. In the future, Komatsu plans to implement Snyk’s new Jira integration to automatically create tickets for security issues.
“Trying to change the culture of business development teams is challenging. Their priority is building new functionality and we want to support that but we also want to prioritize fixing vulnerabilities. Because Snyk is so developer friendly, it makes it easier to get the development teams’ buy-in.” Cheng added, “The feedback from our developers has been very positive. In addition, the feedback from the security teams is also positive because Snyk gives them the peace of mind that we’re being proactive about monitoring and resolving issues and reducing risk”
Another key factor was scan time; their developers didn’t want to wait around for a scan to finish when they were trying to push code. Since Snyk scans 100% faster than Komatsu’s previous solution, this made it easy for their developers to adopt the platform.
“Compared to our previous tooling, Snyk’s scanning is 2x faster and much more integrated to their tooling and processes” Cheng said. “The developers are also quite happy that it’s a lot easier to navigate.”
After evaluating Snyk vs. the competition, Komatsu decided on Snyk because of Snyk’s clear commitment to product innovation and could see Snyk as a critical part of Komatsu’s security strategy moving forward.
Relying on Snyk as a single pane of glass
After the successful adoption of Snyk Open Source, Komatsu also decided to switch from SonarCloud to Snyk Code for static application security testing (SAST). This provided Komatsu’s developers and security teams with a single pane of glass to ensure their application code and open source dependencies were secure.
“Snyk is quite easy to use,” Cheng said. “Having everything within visual studio makes it really easy, so you can see your code quality, your code vulnerabilities, and also your dependencies' vulnerabilities in one place. This is a game changer for us. Rather than having to go into two separate tools, it’s now a single pane of glass for us.”
The Impact: Improving application risk posture
Since adopting Snyk, Komatsu has much more visibility into security throughout the software development lifecycle. Komatsu’s main measurement of success is how quickly they are identifying critical and high vulnerabilities and the time to remediate those vulnerabilities. Snyk’s insights during the development process enabled Komatsu to reduce their mean time to fix by 62% over the first three months following implementation. In addition, Snyk helped the company stay on top of new vulnerabilities as they’re discovered, allowing them to improve their risk posture by 28% over a period of six months.
“Snyk has really given developers the ability to start thinking about security as they’re developing code,” Cheng explained. “It’s allowed the developers to be much more proactive in fixing vulnerabilities as well. They get alerted whenever new vulnerabilities are identified, so it allows them to prioritize their work.”
Another added benefit of Snyk was the ability to help discover vulnerabilities first through their extensive database. 19% of medium or high vulnerabilities fixed by Komatsu were only discoverable through Snyk at the time of discovery. One recent example was a vulnerability that was discovered when using an API with a commonly used business application. The engineering team was able to fix the vulnerability and issue an update.
“We have started to use Snyk quite heavily across various areas of our business and have been able to pick up a lot of vulnerabilities we would have never been able to identify previously. Snyk also gives us the ability to mitigate and resolve these vulnerabilities quickly and earlier in the development cycle”
Last year, Komatsu was focused on getting Snyk up and running to improve visibility into its application security posture. Going forward, Cheng’s team wants to improve the maturity of its AppSec program with threat modeling, standardizing its vulnerability management process, enhancing security reporting, and other best practices.
“We’re quite happy with Snyk. Whenever we talk with other vendors about security, we always recommend Snyk,” concluded Cheng. “So our security practices have been passed on to those vendors, and as a result, they ultimately deliver much more secure products to our customers.”