The Challenge: introducing security into the SDLC
Pearson's IT team knew they needed to prioritize development security to maintain their reputation as a trusted education brand in the digital age. That’s why the company formed a team tasked with introducing security best-practices into the full software development lifecycle (SDLC).
“There was already a DevOps transformation underway,” stated Nicholas Vinson, DevSecOps Lead at Pearson, “and they knew they wanted to shift left and design-in security, but they wanted to create a team with the capability to do that and that’s what we were brought in to do.”
The Solution: Enabling developers to take ownership of security themselves
Pearson’s newly formed security team had just six members, so it wasn’t feasible for them to handle all of the security work themselves across 300 development teams. That’s why Pearson needed a solution that would enable developers to take ownership of security themselves. For this, the company chose to implement dependency scanning at scale across numerous applications worldwide using Snyk.
“With a security team of only a handful of engineers, it’s not practical for us to configure and maintain Snyk for each of these teams,” explained Paul Graziano, DevSecOps Engineer at Pearson. “So we needed an approach and solution which scales and is self-sufficient. Development teams also have a range of skills and experience in software development and DevOps maturity, so our approach needed to be as simple as possible.”
Snyk’s developer-first approach made the platform a good choice for Pearson. The ability for Snyk to integrate with numerous dependency management tools was critical for rolling out the platform across hundreds of applications with different tech stacks. Moreover, since Snyk could fit seamlessly into development teams’ automated CI/CD pipelines, it was easier to get developer buy-in for the new DevSecOps approach.
Making DevSecOps a Reality
The DevSecOps team prioritized the self-service approach, meaning they ensured developers had everything they needed to integrate Snyk with their team’s specific tooling. Using Microsoft Forms, the security engineering team had all the information necessary readily available to quickly onboard new developers to the platform. They also created training videos to help Pearson’s developers understand what dependency scanning is, how to use it, and how to interpret the results.
Once developers were able to use the platform, the DevSecOps team wanted to make sure they knew how to resolve issues quickly as well. Snyk’s automated remediation feature prioritizes vulnerabilities to minimize the actions developers need to take to fix them. This helps reduce the risk exposure Pearson faces from outdated dependencies, newly discovered security vulnerabilities, and licensing issues.
“It can be a bit daunting when teams log into Snyk and see hundreds of vulnerabilities,” explained Graziano, “so we encourage teams to look at the remediations rather than the individual issues. You can have 20-30 vulnerabilities which are fixed with just one dependency upgrade. This is easier for teams to action.”
The Impact: Achieving DevSecOps at scale
The Snyk platform now makes it straightforward for the security team to track useful metrics across all development projects, which enables company-wide self-service security with centralized oversight. That way, the security engineers can ensure development teams are making progress with detecting and resolving issues without having to get directly involved with each team themselves.
“Continuous improvement is important in everything we do,” Vinson said. “We don’t want to stand still. We’re always looking to review, learn from what we were doing, and then improve it.”
While Pearson has achieved DevSecOps at scale across its development teams, the company also understands that the processes and documentation they’ve put in place need to continually evolve to reflect the issues that the organization will face later on. With the help of trusted partners like Snyk, Pearson hopes to continue developing and refining its DevSecOps methodologies into the future.
“The benefit of partnering with a vendor versus an open source alternative is that we can influence their roadmap and suggest features that make our life easier,” Graziano stated. “An example of this is a group policy feature being introduced by Snyk. The next level of maturity after pipeline integration is to have quality gates in the build pipeline to centrally manage the policies for when to block a build, which will be very useful when available.”