Highlights
Lowered the application security risks associated with open source code
Implemented Snyk vulnerability scanning to detect and remediate potential issues
Started proactively fixing issuesbefore vulnerabilities are discovered during pentesting
Detected and remediated Log4Shell across the organization
Improved vulnerability risk posture by 49% over the past 6 months with Snyk
10x increase in critical vulnerabilities fixed in the past 6 months
The Challenge: Reducing the security risks of open source
As one of the largest mobile telecommunications companies in Denmark, Telenor Denmark's team of around 50 developers is responsible for building software solutions for customer-facing web and mobile applications as well as internal middleware systems. While the company had a strong security program already, the team at Telenor wanted to improve their application security efforts around open source code and containers.
“The AppSec challenge is just getting bigger and bigger,”_said Torben Frølund, Senior Manager of DevSecOps at Telenor. “Especially after something like Log4j, it’s becoming obvious to everyone that open source code could pose a risk.”_
The Solution: Implementing Snyk for vulnerability scanning
After speaking with multiple application security vendors, Telenor chose to implement Snyk for open source dependency and container scanning. A key deciding factor was the reputation Snyk has for being a developer-friendly security tool that development teams want to use.
“It’s one thing to buy the security product,”_Frølund said. “But it’s even more important to actually get the developers to embrace it and use it. In order to make use of the scanning tool on a daily basis, you need to get all the developers involved.”_
The first step was just getting an overview of the current application security posture. Snyk’s integrations with Bitbucket and Jira helped Telenor quickly get the tool up and running so that development teams could begin scanning for vulnerabilities as part of their workflows. Snyk's free integration with Bitbucket makes it easy for Telenor Denmark's developers to build, test, and release secure software faster.
Then Telenor focused on fixing the highest severity issues that were discovered in their code. Snyk gives priority scores to vulnerabilities based on CVSS score, exploitability, and other factors to help development teams resolve potential high-risk issues more efficiently. As these were being resolved pre-production in code, they did not pose an imminent risk. The Jira integration also makes it easy to produce tickets for each issue to track the progress of remediation.
Visibility into exposure to the Log4Shell vulnerability
In December 2021 the critical vulnerability Log4Shell was discovered by experts as a potential threat to millions of applications and devices across the world. Organizations globally needed to take swift action to identify and remediate issues. This incident became one of the first cases where Snyk proved its worth to Telenor. The challenge is that many libraries like Log4j are indirect dependencies for applications, so they’re more difficult to identify within large code bases.
For example, Telenor was using Log4j in many places, including within data lakes and other systems. Although only the development team in Ukraine was using Snyk at the time, Frølund’s team decided to scan all the code repositories within Bitbucket – many of which hadn't been onboarded to Snyk yet — to find additional instances of Log4j. This helped Telenor detect and mitigate Log4Shell across the organization.
“The security department sent us information about Log4Shell immediately after it went public,”_Frølund explained. “Once you know there’s an issue like that, it’s useful to be able to actually scan your code and get a quick overview of the many places where Log4j is used.”_
The Impact: Proactively improving application security posture
By integrating Snyk into the development process, Telenor has been able to proactively fix potential security issues before they become an urgent vulnerability discovered later during pentesting. In fact, Telenor has been able to improve its risk posture by about 49% based on the number of vulnerabilities found and fixed, while also achieving a 10x increase in critical vulnerabilities fixed.
In the future, Telenor hopes to continue integrating Snyk more deeply into its development processes and better educate developers about using the tool. This will encourage development teams to consider vulnerability remediation as part of their bi-weekly sprint planning process.
“We weren’t tracking our mean time to fix issues before Snyk, but it was significantly longer for sure,”_concluded Frølund. “It’s been a huge improvement now that we’ve been able to reduce that.”_
