Managing Open Source Security
One of the common challenges of managing security for a fast-paced, growing company is allocating security resources including people, budget and time. The MongoDB security team has many priorities, and time is a high value asset. When Stuart and his team found themselves spending hours manually checking to ensure developers were not using open source libraries with known vulnerabilities, or wading through long CVE lists, they knew there had to be a faster and easier solution.
Before Snyk, our approach to open source security was slow and time-consuming. We did manual checks of our packages before releases for some products (lots of googling and bookmarks), for others we use a collection of smaller tools.”
Scaling security is an important goal for MongoDB
The security team considered several solutions in the market, but found that Snyk’s developer-first approach and automated remediation were important differentiators. Snyk’s quick deployment, ease of use and direct integration with developer workflows and tools like GitHub would help the development team to adopt the solution quickly. MongoDB also considered building a security solution internally but quickly realized that with limited headcount, time and budget, selecting an external tool like Snyk would make their lives easier and allow them to focus on existing development priorities, saving the “hassle and time drain” of building it themselves.
“There’s only a few security engineers at the company, but hundreds of developers; we will never scale with them, so we must proactively enable them."
Snyk Results: Automation = Time Saved
After automating their open source security process with Snyk, Stuart says “they are never going back” to the slow, manual approach they were taking before Snyk. The MongoDB security team now has a tighter loop from when a security issue is identified in a package, to the time they know about it, to the time they fix it. The MongoDB team has built a streamlined workflow for removing third party dependency security issues. The automated process makes finding and fixing vulnerabilities significantly faster - so the security team can focus on other priorities.
Monitoring Security Across the Team
The MongoDB security team now has one integrated Snyk dashboard where all stakeholders can view the Snyk repos they care the most about; everyone on the team, across security and development, knows the status of vulnerabilities and risk, at any time. The Snyk dashboard has also become a helpful tool for communicating to the rest of the organization about security challenges and the need for specific resources.
Customer Data Protection
Customers are asking more often to understand how their data is being protected against third party vulnerabilities. MongoDB is excited to explain how Snyk is tightly integrated into the SDLC to ensure that third party dependencies are identified and resolved as part of the many steps the team takes to protect customer data and important assets.