The Challenge: Securing open source dependencies
With eight different service offerings spread across various verticals, however, maintaining visibility into third-party security vulnerabilities is not easy. The company needed a solution that was not only highly usable (to guarantee developer adoption), but also provided sophisticated features for identifying critical vulnerabilities in open source code as it’s implemented and while running in production.
“Over the years, we’ve used more and more open source libraries and frameworks to build our products, but in doing so it’s become apparent that some of these libraries and frameworks have vulnerabilities,” explained Dan Godley, Head of Development at Origo. “We just didn’t have enough confidence we were including packages that were 100% secure.”
The Solution: Integrating Snyk within SDLC
Origo liked Snyk because of how easy it is to use and its ability to play well with current developer tooling. In particular, the company chose to integrate Snyk Open Source into multiple stages of its software development lifecycle (SDLC). Snyk Open Source detects vulnerabilities within third-party dependencies so that Origo can have confidence its services are up to the financial services industry’s security standards.
“What immediately struck me was how easy Snyk is to use, from logging in to setting up integrations with GitHub,” Godley said. “And then just having it scan and seeing the information that came out, bringing in Snyk was a pretty painless experience. It was as simple as a few clicks and keyboard strokes.”
The Impact: Fewer vulnerabilities = happy customers (and developers)
Introducing Snyk into Origo’s SDLC has dramatically improved the company’s security posture with its customers. Even better, developer adoption has been off the charts as teams have lowered the number of vulnerabilities across all of Origo’s service offerings. As a result, Origo can continue to safely deliver solutions that transform its customers.
“When we first started using Snyk, we found that there were a high number of vulnerabilities from third-party open source packages we had been using,” Godley stated. “Over a few weeks, we managed to get this number down to something more reasonable. But the sheer reduction in vulnerabilities we have now compared to only a few weeks or even a month ago is nothing short of incredible.”