The Challenge: keeping up with open source vulnerabilities across the entire software supply chain
The ShopBack Group, Asia-Pacific’s leading shopping, rewards, and payments platform, serves over 38 million shoppers. They work with over 15,000 online and in-store merchant partners, generating over $3.7 billion in annual sales.
ShopBack expanded into financial services last year, launching its ShopBack Pay and PayLater offerings. Around 300 developers across Singapore, Vietnam, and Taiwan work on the platform’s upkeep and growth.
The ShopBack team was concerned about critical open source vulnerabilities such as Log4j. They ultimately needed a way to understand, analyze, and solve their software's open source vulnerabilities but didn’t know where to start.
Dipin Thomas, Engineering Manager, explained, “A vulnerability was introduced in the market, and everyone was working on fixing it. It was very difficult for us to understand and analyze, ‘where are we even vulnerable for it?’ or ‘how can we easily fix it?’”
The Solution: Snyk Open Source
The ShopBack team implemented Snyk Open Source for finding and fixing open source vulnerabilities. After hearing about Snyk through their premium partnership with AWS, they decided to conduct an evaluation with Snyk and a few similar tools. They tested the capabilities of these security solutions by using them on a set of common code bases. Snyk Open Source came out on top because of its pipeline integrations and CLI features.
"The major differentiators were support of GitLab’s private network, easy integration with GitLab CI, and faster results,” said Dipin. “Snyk also has several features available within the CLI. For example, it can filter or target specific vulnerabilities by level, type, or location. Most other tools I’ve used don’t have this filtering mechanism. Instead, they give us the whole report, and then we have to build an engine to filter it out. That's much more cumbersome.”
The ShopBack team also leans on Snyk’s security intelligence, enabling them to stay informed on CVEs, disclosures from their third-party providers, and other pertinent security information.
According to Tao-Sheng Chen, VP of Engineering, “You never know when a new open source vulnerability will get announced. Things are constantly changing, and an app you think is secure today could contain a new vulnerability tomorrow. We’re glad to have a reliable source of information about all of our third-party software, so our developers can be first to know about any critical vulnerabilities.”
Features for finding and fixing vulnerabilities
ShopBack’s developers also appreciate the auto-fix features in the Snyk Open Source platform. Rather than hunting down solutions for every found vulnerability, the developers just click a button to fix the issue in seconds. The team also appreciates this feature’s easy integration with their ecosystem, which includes Node.js and Docker files.
Dipin said, “With the auto-fix feature, the developer doesn’t have to search around and wonder, ‘How do I fix this?’ Instead, they can click on a button, the right patch or upgrade is prepared, and then they just merge it.”
The Impact: Positive results in less than 60 days
Although they’ve only recently implemented Snyk, the ShopBack team has already seen significant results. They’ve gained far more visibility into the security posture of their software supply chain. Because of this, they’ve reduced critical and high vulnerabilities by 16% over 30 days. And in the past two months, they’ve seen a 247% increase in developer adoption of Snyk Open Source to secure their projects.
Now that they have a security solution, the team plans to undergo the ISO certification process. They also hope to evaluate other Snyk solutions in the future.
Tao-Sheng said, “I believe we see success in these beginning stages because the platform is well-integrated into our existing ecosystem. And we look forward to seeing more success as tool adoption continues.”
