- Implementing DevSecOps without slowing down development
- Integrating scanning directly in the developers’ IDE
- Secure Infrastructure as Code early in development
- Gaining enterprise-level visibility into source code and open source dependencies
- Saving developers time through automated vulnerability scanning
- Ensuring compliance with healthcare regulations
The Challenge: Open source vulnerabilities caused a manual security bottleneck
Natera had many security practices in place, but these required developers to manually sift through pages of false positives. Quickly developing data-driven insights is key to business success, so they sought to adopt new security practices to help automate application security and quality assurance within the software development life cycle (SDLC). This required new tooling for vulnerability discovery and management within their open source code, custom code, infrastructure, and containers. With a team of over 200 developers working on multiple projects, Natera needed a comprehensive DevSecOps approach that could be adopted across teams easily.
“We were doing manual reviews. We would get the pull request, then try to assign people to the issues. Security was just a bottleneck,” said Charlotte Townsley, Natera’s Director of Security Engineering. “I wanted to build out and normalize security preparedness. We needed security by design and full-engineering adoption throughout the SDLC, so, we needed to increase collaboration, awareness, skills, and tooling. That would translate into a lot of value for the organization.”
The Solution: Enabling security for the whole application development process
When searching for a solution, Natera considered multiple products, including Snyk, SonarQube, Blackduck, and Veracode. The evaluation proved the Snyk Cloud Native Application Security Platform the most developer-focused, useful, and actionable, allowing for seamless adoption and quick integration. The platform empowers developers to own security for the whole application, from code and open source to containers and cloud infrastructure.
“We picked Snyk because it fits the organization and the goals we have,” said Townsley. “It’s well designed, easy to use, and straightforward for the engineering team. The suite was well designed for looking at dependencies, custom code, containers, and Infrastructure as Code. It’s all there.”
Snyk Code enables early development vulnerability fixes
Natera wanted to ensure the entire development team could take ownership of security. This vision required static application security testing (SAST) to enable vulnerability awareness as early as possible in the workflow. Natera found that other SAST tools were limited by lengthy scan times and poor accuracy. Snyk Code, however, is designed to deliver efficient and actionable suggestions for vulnerability fixes as developers write code in their native interface prior to deployment.
“It was an easy decision to make. We looked at a few other tools, and I couldn’t find anything that gave us the same sort of scanning unless we had deployed or were in pre-deployment. There was just nothing that I could compare it to.”
Integrating with the IDE for custom and open source code security
Using Snyk’s plugin with JetBrains IntelliJ IDE, the security team at Natera was able to integrate security seamlessly into engineering workflows. Within the developer’s preferred environment, Snyk natively scans the engineering team’s repositories to detect vulnerabilities in their application source code and Java open source dependencies. By analyzing and validating their code as they write, developers can catch issues early on in their build to quickly and efficiently remediate efforts themselves.
“I want everybody to see security as their partner and something that enables them,” said Townsley. “And having something early in the lifecycle truly does that. So we start with the IDE implementation and integrate with the repositories. This helps us understand the context around security vulnerabilities in our dependencies, helping us make informed decisions.”
Snyk Container empowered developers to immediately fix crucial vulnerabilities
Since Natera relies on containerized application elements, the engineering team has a number of container images in production. Container vulnerabilities could threaten compliance with healthcare regulations, so the security team sought to limit developers from using certain images as part of the registry. The team chose to use Snyk Container to help gate unwanted images and remediate vulnerabilities within their approved containers.
”I was really happy to have containers scanning before runtime production,” Townsley said. “People weren’t paying attention to the vulnerabilities in containers so it has been eye opening for the organization. It truly increases awareness of those vulnerabilities and enables more automation. It’s more inline with that quality improvement mindset that the engineering teams have in their CI/CD practices.”
Snyk IaC empowers greater visibility into repositories
Infrastructure as code was the last piece of Natera’s DevSecOps puzzle. Delivering and protecting data-insights for DNA results, Natera relies on multiple infrastructure configurations to support its applications. Snyk IaC empowers developers to secure their configurations and build best practices into their workflows. This approach for rolling out Snyk’s products aligned with Natera’s goal of integrating security foundations across its entire development lifecycle.
”We wanted comprehensive coverage to help us find issues that could result in infrastructure vulnerabilities in the runtime environment,” Townsley said. “These weren’t even getting manually reviewed. So Snyk was a great way for us to get visibility into all the different IaC repositories.”
The Impact: Examining the full spectrum of security vulnerabilities
Natera was able to implement security processes and policies that cause minimal interruptions to developers. Snyk integrates into their build process and helps prioritize vulnerabilities to accelerate remediation. This way, Natera has gained complete visibility and improved software quality without delaying the time to market for innovative features their customers want.
“Snyk has had a big impact on our organization. We truly weren’t doing anything like this before. So having a tool that looks at the full spectrum of security vulnerabilities in our custom code, dependencies, containers, and IaC has been like a buffet that no one here has ever eaten from before.”
Achieving code compliance without friction
Since implementing the Snyk platform, Natera can now tie the information they’re gathering to specific security policies and have irrefutable proof that they’re scanning for potential violations. This audit trail is critical for maintaining their compliance with healthcare industry regulations and data privacy laws such as FDA, HIPAA and SOC 2 as well.
“We’ve all been impressed with how well Snyk Code addresses the FDA’s quality system requirements,” said Townsley. “We have very active champions who find it’s easy and much faster to use. More importantly, unlike other tools that produce pages of false positives, Snyk moves quickly and shows real issues.”
Automating to remove vulnerabilities entirely from applications
Natera has rolled out Snyk for the entire team, focusing on enabling 40 security champions who lead these efforts and will soon train the remaining team members. With Snyk, Natera’s champions and security team have enabled an engineering-centric approach to security without slowing down deployment. The platform’s automated tools detect security vulnerabilities before code gets merged, so that Natera’s engineering teams know that security has been validated before the application ever gets to staging or production environments.
“We’ve built Snyk into a process and we’re moving towards automation,” said Townsley. “And we’re moving towards gating vulnerabilities entirely. We want to get to the point where everything is DevSecOps. We’ll soon have things tuned to where that works very well for us, rather than the inconsistent and manual processes we relied on prior to Snyk.”