The Challenge: Gaining visibility into open source packages
ROLLER offers a cloud-based platform that enables leisure and entertainment businesses to operate more effectively and deliver better Guest Experiences. This includes features for point of sale, booking and event management, customer relationship management, and more.
As ROLLER’s platform matured, the use of open source dependencies grew rapidly across over a dozen microservices and sub-applications. The company realized the need for a streamlined security process around auditing and replacing packages with vulnerabilities.
“A business with rapid development accelerates the number of packages and open source software that gets used to achieve those goals,”stated Sean Fernandez, CIO at ROLLER. “It became pretty difficult to point to a simple dashboard and ask ‘where are our vulnerabilities and what should we target?’”
The Solution: Automating dependency scanning using Snyk
When ROLLER began looking for a way to streamline its open source vulnerability management, the ability to automate the process was critical. By adopting Snyk Open Source, ROLLER was able to integrate dependency scanning into its continuous integration and continuous delivery (CI/CD) pipeline, starting with a connection to Bitbucket Cloud.
“There were packages that had existed for years that potentially hadn’t been updated,” explained Fernandez. “We wanted to know if they were vulnerable and whether we should put the effort into upgrading them.”
In addition, the Snyk Intel Vulnerability Databasewas invaluable for ROLLER’s development team. The database – curated by Snyk’s Security Research Team – provides enriched vulnerability data from numerous public databases. More importantly, Snyk’s database makes it easier for developers and other non-security professionals to understand how specific exploits work and ways to remediate them.
“We’re all very technical, but we’re not security specialists,” Fernandez said. “We like the fact that the vulnerability information is delivered with simple markdown language where you can see exactly how the exploit works.”
Simplifying PCI compliance requirements
As part of complying with payment card industry (PCI) security standards, companies are required to prove they’re managing the security of payment software throughout its entire lifecycle. Snyk also helped ROLLER meet these PCI compliance requirements for security controls around vendor packages by automating the process.
“Even with a small project that has 16 packages, you’d have to go through each one of the open source packages to see if there’s an issue,” explained Fernandez. “It was far easier to get Snyk to scan through them.”
The Impact: Improving security posture of the cloud platform
After implementing Snyk, ROLLER has been able to reduce its high severity vulnerabilities by nearly 80%. In addition, the company’s developers are now vetting open source packages more carefully because they know Snyk will detect any new dependency vulnerabilities they introduce into the codebase.
“Snyk gives all engineers a baseline of what security should be,” Fernandez said. “If they’re looking at a package online that’s beta or has complaints, it’s not going to get approved by Snyk. So the developers have started to think more proactively about security.”
As ROLLER’s platform continues to mature, the company’s development team is shifting to a more forward-thinking approach, where secure development is just as important as rapidly delivering new features. While ROLLER has achieved a baseline security posture it’s comfortable with, the company’s next priority is to target the new critical vulnerability category Snyk has recently rolled out. Eliminating the vulnerabilities that Snyk identifies as critical severity will enable ROLLER to make an immediate impact on its platform’s risk profile.
“When we’ve talked to customers during the vetting process, they often didn’t expect that what we do with Snyk was possible,” stated Fernandez. “They’re usually writing notes about how they can implement this in their own system, as well.”
