The Problem
As Australia’s largest retail mortgage broker, LendiGroup places utmost importance on its customer service. This includes ensuring that the technology used by brokers is performing at the highest level.
Following a quarterly penetration test, findings revealed that many of Lendi’s dependencies were out of date, and there was no way to understand what risks were associated with those unpatched dependencies.
Lendi partnered with Snyk to manage their ‘Software as a Service’ (SaaS) products with a configuration-as-code approach. By opening this project, Lendi has encouraged new ideas when it comes to collaboration between the engineering and application security disciplines.
Moving to a new way of work
Built on the foundation of excellent customer support and experiences, Lendi liaises with financial institutions across the country to find customers the best mortgage option for their circumstances. Following the merger as the original disruptor brokerage company, Aussie Home Loans, in May 2021, Lendi Group is now Australia’s largest retail mortgage broker with a loan book worth more than $70bn.
As Australia’s leading technology home-loan provider, Lendi has a team of approximately 120 software engineers, and the wider group houses thousands of mortgage brokers. These brokers use the Lendi platform to accelerate their communication with potential customers and find them a suitable home-loan option in the quickest time possible.
After the merger, Lendi Group were looking at ways they could modernize and automate legacy technology processes which would ultimately help the brokers be a lot more efficient at their work. Following a quarterly penetration test finding related to dependency issues, it was revealed that many of Lendi’s dependencies were out of date, and there was no way to understand what risk was associated with those unpatched dependencies.
“We rely a lot on open source tooling to be able to identify dependency vulnerabilities within the various micro-services that we have on the backend. The problem with this tooling is that it doesn't necessarily cover all the different types of language we have on the back end, and it doesn't provide useful telemetry and metrics,” said Cole Cornford, Senior SecOps Engineer, Lendi.
Lendi needed a cost-effective solution that would help identify and address vulnerabilities. Lendi started using Snyk in July 2021, to manage their ‘Software as a Service’ (SaaS) products with a configuration as code approach.
“The process needed to be simple, so the engineers understood their responsibilities and the importance of patching vulnerabilities. When we were looking at possible solutions, Snyk Open Source was the obvious market leader. I've known about Snyk for a long time, in fact, I first heard of Snyk when the product was being built, so it was the first option I considered,” noted Cole.
Reducing the amount of vulnerabilities on the platform makes the systems more resilient, improves reliability and customer confidence in Lendi’s security posture. Financial institutions require records of an individual’s identification, address, contact information, income and more, so Lendi needs to ensure that this information is stored securely.
“The initial deployment of Snyk was incredibly quick because we have a very simple structure for our back-end source-code repositories. Snyk enables each Bitbucket single-code repository to be mapped to the owning team. This then allows us to see which teams have the most critical, moderate and low severity items, and who's fixing them faster.” stated Cole.
Removing team silos to turbocharge efficiency
Lendi Group unites their Developer Operations (DevOps) and Security Operations (SecOps) projects with a shared focus; to make it easy, secure and reliable to use for everyone from engineers to brokers to customers. The Platform Team is closely interlinked with all of Lendi’s technology and engineering teams so everyone is constantly communicating and evolving to enable teams to best navigate and manage the platform.
Snyk’s main differentiator is that it integrates with the developer’s day-to-day workflow, which means they don't have to use an external system.
“Snyk just runs continuously in the background and the results are in plain English, so us security engineers don’t need to spend time reading and interpreting. We can just see the graph of vulnerabilities go through which is an easy way to communicate our activities to senior management. This was huge for us, as we want to make sure the user experience for our engineers is exceptional,” said Cole.
These benefits extend to Lendi brokers and ultimately their customers, as Snyk helps to consistently patch issues which means fewer outages and security vulnerabilities for the end-user.
“Snyk delivers value across the Lendi Group because it provides peace of mind for our brokers and customers. They can be confident in using high-performing technology and that all their personal data is safe,” commented Cole.
After deploying Snyk Open Source in Q3 of last year, Lendi Group’s objectives and key result (OKRs) was to achieve successful implementation and socializing of Snyk as a product across the relevant departments. This progressed in Q4 to successfully fixing 90% of critical and high-risk issues using Snyk. Lendi has truly achieved this goal, as this figure has now jumped to 98% in the past 6 months, which is a rare feat for many organizations. Lendi’s goal for Q1 this year is to focus on reducing the time to fix issues, reducing timeframes for critical and high-risk issues to 14 days, and 60 days for others.
Teamwork makes the dream work
To ensure successful implementation, Lendi Group worked closely with the Snyk team to ensure that there was a detailed explanation to teams about what was happening, access to the right documentation and people were moved to the new system with as little impact to their day as possible.
“Snyk software is extremely well-documented so we were able to leverage their publicly available information to help run our team education. We ran several training sessions and created best-practice guides about how to use Snyk. Luckily, our software engineers at Lendi are very switched on and understood how to use it almost immediately because it just fits in with the platforms and activities they use on a day-to-day basis. We now have a homogenous stack that's consistent for everybody,” commented Cole.
To facilitate open and speedy communication between Lendi, Snyk has established a shared Slack channel for the team to flag any questions or issues.
“The entire Lendi platform team has access to this channel, including SecOps and DevOps engineers, so they can immediately raise and resolve issues with Snyk and request additional resources. Collectively with Snyk, we have tried to make this process as seamless and direct as possible,” said Cole.
Once the Lendi Group had successfully implemented Snyk and found that it had significantly improved their way of working, the team then took this one step further, launching a project to automate the way Lendi Group integrates with Snyk.
“We love to have everything we deploy as code and enjoy open-source projects so we decided to create an open source terraform provider that can help not only us but other companies to integrate with their different teams and projects with Snyk. Our team recently won a Snykie Innovator Award for this project,” said Cole.
Next steps
By partnering with Snyk, Lendi has encouraged new ideas when it comes to collaboration between the engineering and application security disciplines. Lendi Group’s next goal for the technology space is to focus on consolidating similar services that currently exist independently across both brands into a single place.
“As a team, we are always challenging ourselves to innovate and pursue the latest technologies out there, whilst also having fun with interesting projects. Snyk directly aligns with our future vision as it helps ensure everything new that we build is being patched on a regular basis and that we are aware of what level of security and risk is associated with any vulnerabilities,” said Cole.
