The Challenge: accelerate and scale an arduous security process
As a rapidly expanding company, Revolut no longer has the bandwidth to manually review each and every open source library. Currently, the company works on hundreds of different repositories, each with its own dependency, in a continuous integration environment. These daily strains on the DevOps team were resulting in decreased productivity with more and more time spent in minutia. They needed a solution that could work as quickly as they could scale, while also providing them with complete real-time visibility.
Additionally, considering Revolut operates in the digital banking industry, it’s especially crucial for them to achieve PCI compliance, but also keep that compliance as standards evolve and change every year. Recently, PCI requirements were updated to include securing open source dependencies and integrating security to the development process. So while Revolut already had PCI compliance, they needed to find a solution that would ensure they stayed compliant with any new requirements, especially those around open source.
The Solution: finding a reliable and efficient partner that can improve over time
As Revolut focuses on growth and servicing customers, the team needed a platform and support team that could be a reliable and efficient partner. Upon implementing Snyk, Revolut saw immediate results.
“Snyk was the only vendor that actually achieved all the success criteria, improving their product at the very same time,” said Evangelos Deirmentzoglou, Interim Head of Security at Revolut. “And during that time that we were constantly in communication.”
Snyk was also able to integrate into Revolut from a cultural perspective, providing constant support and a genuine passion for building the best possible platform and resolving technical issues and requests as quickly as possible.
Visibility to real-time security status is a key
As a fintech company, Revolut works with highly critical software where it’s imperative to have visibility into open source libraries. Snyk’s ability to monitor throughout the SDLC allows Revolut to identify and fix crucial issues as soon as they appear.
From my perspective it’s all about visibility. Even if you don’t have the ability to fix something, you are always aware of the current state,” said Evangelos Deirmentzoglou. “But so far, we’ve identified and fixed some very critical issues which is very important.”
The Impact: Quick developer adoption and compliance to the updated PCI standards
Snyk’s proven record as a developer-friendly tool was an added benefit for the Revolut team. As was Snyk’s reputation in the industry, with many of Revolut’s developers already familiar with and eager to use the platform. Thanks to Snyk’s ability to integrate with a variety of different development tools, it’s easy for developers to get the information they need in order to make necessary fixes.
I had developers coming to me, asking to give them access to the platform so they can monitor and patch their projects. We have automated the monitoring process with Slack integration, now developers get an alert on Slack for vulnerabilities in their project. So that is a huge benefit for the team,” said Evangelos Deirmentzoglou.
As a fintech company dealing with sensitive, private information, Revolut must keep to specific standards. Snyk implementation ensures the company’s ability to protect the core infrastructure and maintain PCI compliance among others.
“We get audited all year long. By using Snyk, we can say we’ve secured our open source pipeline,” said Evangelos Deirmentzoglou. “So it’s not just about improving our security exposure but also supporting our compliance efforts.
Revolut’s approach to managing security has improved as well with the implementation of Snyk. When faced with multiple vulnerabilities, it’s easy to get carried away and want to fix every issue as soon as it’s identified. But this time consuming approach doesn’t allow for teams to understand which issues are higher priority than others. Snyk’s platform ensures the team is able to view a holistic picture of the entire infrastructure, meaning engineers can easily identify exactly which of these issues are both fixable and impact the entire system so they can be fixed immediately. Knowing when and where to fix issues resulted in Revolut seeing decreased vulnerabilities across the board.
As for the advice Revolut gives to companies searching for open source security solutions?
“Choose a vendor like Snyk who is as keen to solve a problem as you are.”