The Challenge: Achieving comprehensive security coverage
With around 1,500 applications and several thousand projects, however, scaling security is not simple. The company needed a security solution that was not only highly usable (to guarantee developer adoption), but that also offered sophisticated features for efficiently managing security efforts throughout the organization.
“We wanted a solution for providing metrics on the amount of applications that we scan versus the total number of applications that we have so that we can know our overall security coverage,” stated Simon Wilkins, Application Security Analyst at Overstock. “Efficiency is another big factor. We want to be able to perform an action across all of our projects that relate to a particular application simultaneously to save time.”
The Solution: Streamlining security efforts with project tagging
Overstock chose Snyk because the platform’s robust API and tagging capabilities were a great fit for increasing security coverage across thousands of projects. Now the company can easily manage its security scanning processes through centralized API calls, which is much faster than doing so manually for each project.
Project tagging is a Snyk feature that was released in 2020 to help organizations sort, filter, and bulk-edit multiple projects via the Snyk API. Rather than performing actions one at a time through the platform interface, users can automatically make changes and pull metrics across all projects that have a particular tag. Overstock uses many different tagging criteria, like project owner or deprecation status, to efficiently sort and manage its various applications.
“If you are working with dozens, hundreds, thousands, or hundreds of thousands of projects, trying to find that single project is like trying to find a needle in a haystack,” explained Waleed Arshad, Product Manager at Snyk. “So what you need to do is be able to group and work in bulk and really filter down into those projects in whichever way you want to.”
How Snyk’s API Enables Security Scaling
Snyk addresses the challenges of scale with its robust API that integrates with development workflows, enhanced reporting capabilities for efficient remediation, project tagging to manage security across numerous projects, and many other developer-friendly features.
The Snyk API can fully automate existing end-to-end processes at scale. Through the API, companies can onboard engineering teams by creating integration settings and inviting users. Once users are onboarded, engineers can use the Snyk API to integrate with their source code management (SCM) and other developer tools. Moreover, running a cron job on these API endpoints will ensure the Snyk platform includes the most up-to-date set of teams and projects at all times.
Companies can also scale the visibility of their security efforts using the Snyk API. There are extensive audit logs within the API to track usage and other key metrics. The reports API also allows organizations to pull in-depth information, such as remediation statistics, recommendations for issue prioritization, ROI, and SLA compliance.
“You need to make sure that you consistently support the right parts of your organization, and reporting will help with that,” stated Arshad, “because you can monitor exactly what the remediation states look like across your organization and really support the areas that need it the most.”
In addition, Snyk includes project attributes and security policies options. A security policy is a custom set of rules that prioritizes or de-prioritizes vulnerabilities to better match the organization’s risk preferences. Organizations can automatically apply these policies to certain projects based on attributes to achieve granular control over their security at scale.
The Impact: Security made manageable
With Snyk’s API and tagging capabilities, Overstock saves enormous amounts of time when it comes to security. Along with eliminating time-consuming administrative efforts, Overstock plans to expand their use of Snyk’s tagging features to centralize their security scanning processes even further and achieve a security approach that scales consistently with company growth.
“The new tagging feature has taken the Snyk API to the next level, just being able to do all these things in bulk now,” Wilkins concluded, “So it’s definitely a feature that everybody is going to get on board with quickly.”