The Challenge: Need for efficient security processes to support growing scale
Over the past few years, Smartsheet has more than doubled its employee count. As Smartsheet grows, its engineering team is working to ensure they’re able to future-proof security practices to defend the platform from security threats. As they scale operations, the developers need to secure products as easily and efficiently as possible by leveraging application security automation.
“We are doing a lot of software development. So we have the challenge of maintaining the open source code that we're using has the proper security and risk management in place,” said Chris Peake, CISO at Smartsheet. “But we also have the other side of it, which is the licensing, both from a legal perspective and also from a security perspective.”
Smartsheet sought to automate vulnerability scanning and license management of their open source code to empower developers to manage security while meeting the scale of software creation. To do this, developers needed a tool that could automatically flag issues at the right time with the right contextual insights, empowering them to make quicker decisions and keep the company secure.
“Building a developer-first security tool we could use to drive developer action was not realistic for our small team to attempt,” said Jason Bubolz, Principal Security Engineer, Smartsheet. “Snyk enables us to drive developer action by providing the threat intelligence and offering the fixes we need automatically.”
The Solution: Efficient security, developer-first
When searching for a solution, Smartsheet evaluated four products, including Snyk, Whitesource, Blackduck, and Veracode. The evaluation proved Snyk Open Source to be the most developer-focused, useful, and actionable, allowing for seamless adoption and quick integration. The Smartsheet team was also impressed with Snyk’s ability to present actionable remediation options to the developer.
“Snyk’s vulnerability database is the most comprehensive and detail-oriented option available,” said Bubolz. “For an engineer trying to do security well, Snyk offers a superior solution for every point in the software development lifecycle. We now provide an engineer with tooling at the time they're making decisions, giving them the information that they can just act on. That is the value I continue to see in Snyk.”
Snyk identifies the minimal upgrade required to clear a vulnerability and notifies when there is a risk of breaking the code. These accurate and timely results are crucial to Smartsheet as the company shifts to empower the development team to own security decisions without leaning on the security team.
Snyk Container: Empowering developers to prevent vulnerabilities
Smartsheet knew they needed to create a frictionless experience for developers to improve container security. That’s why they integrated Snyk Container into their existing development workflows. Because Snyk Container works across the entire SDLC, it helps Smartsheet to fix issues early by identifying priority vulnerabilities before the container goes into production.
“Our developers use feedback from Snyk to determine whether they should choose a particular base image at the very beginning of their development process,” Bubolz said. “That gives them a clear signal before it costs them a lot of time to make a different choice.”
The Snyk API: Automating data management and administration
When Smartsheet evaluated security scanning tools, the company looked at the APIs of several options, but found that Snyk proved the most straightforward to implement. The Smartsheet team leveraged the Snyk API to automate data reporting from multiple projects and manage administration for hundreds of GitHub repositories every month.
“I needed data to automatically feed into another system that will take action on my behalf,” said Bubolz. “There's one of me, but there's more than 400 devs who are committing code every day at Smartsheet. The Snyk API tells me when I have a new repository or ownership has changed. Without an effective API, we wouldn’t have been able to use any security scanning product.”
The Impact: Eliminated vulnerabilities almost immediately with Snyk’s developer-first approach
Thanks to the close, collaborative approach Snyk takes when onboarding new customers, Smartsheet was able to make the program successful from day one. Snyk took the time to understand how their tool fit into the larger ecosystem of the company, getting it integrated into every single continuous integration (CI) pipeline.
“Even before they fully integrated Snyk, it was already achieving its purpose,” said Bubolz. “After the application emailed our developers, they found it easier to just solve issues right away, which has made them even more eager to roll up their sleeves and handle security themselves.”
Ease of implementation meant a smoother transition to developer security responsibility
Snyk’s quick onboarding process meant Smartsheet could immediately begin work without unnecessary strain on its security and development teams. As Snyk is used throughout the entire SDLC, engineers are now presented with problems they can solve rather than a series of bugs they’d have to comb through and determine solutions for on their own. Snyk hands over security issues along with the needed context and developers are empowered to make the vast majority of the fixes on their own and in some cases just by clicking a button.
“We're getting better outcomes,” Bubolz said. “Our teams are even more prepared to focus on security than they already were.”
Reduced legal burden with open source license management
Prior to the Snyk implementation, Smartsheet’s legal team had a significant challenge tracking which licenses were being used across dependencies in Smartsheet’s products. Snyk provided the legal team and developers with complete visibility into any licensed code in their projects from a single place. This allowed them to maintain a rapid pace of development while remaining compliant with open source software licensing and other requirements.
“The legal team was thrilled that they could actually keep an eye on what open source products we’re using,” Peake said. “They had to manually maintain that list previously, and it was quite a bit of work. A single pane of glass is a great benefit and adds to the value that the team is getting out of Snyk today.”