The Challenge: Protecting The Telegraph’s platform & content
Over the years, Telegraph Media Group has grown its media portfolio to include several websites, mobile app, print titles, and more. This multi-platform digital approach leverages a microservices architecture for sharing data and content amongst internal systems and third parties. Since content is Telegraph Media Group’s greatest asset, the company knew that prioritising the security of its platform and API was crucial.
“As a major media publisher one of TMG's top priorities is a secure website and code” stated Ciro Rizzo, Head of Engineering. “Together with our security team, we wanted to make sure that all the code that we produce was protected from any potential issues.”
The Solution: Integrating Snyk with automated CI/CD pipeline
Telegraph Media Group wanted to ensure all internal software development follows security best practices. That’s why the company chose to integrate Snyk Open Source into its continuous integration and continuous delivery (CI/CD) pipeline. Snyk Open Source detects vulnerabilities within third-party dependencies so that the TMG can have confidence that its services are up to the company’s security standards.
“A product like Snyk helps us to identify areas of our services that are potentially exposed to threats from external actors,” Rizzo explained. “As part of our digital transformation, our development team works together with the security team to keep our software in a good security state. And now that Snyk is part of our CI/CD pipeline, security checks are always done earlier during development.”
Since TMG’s platform and APIs are almost entirely containerised services running on Kubernetes in the cloud, the company uses Snyk Container as well. Snyk Container ensures the Docker images, and even Dockerfiles themselves, are secure before any microservices are deployed into production. Snyk can also monitor newly deployed Kubernetes workloads to detect misconfigurations or potentially unsafe cluster settings.
Prioritising vulnerability mitigation
While the initial scan results from Snyk could be overwhelming for some organizations, the tool aims to reduce the effort involved with issue remediation by classifying vulnerabilities based on severity. This helped the TMG take an iterative approach to mitigating issues so that the company could efficiently improve its application security with each successive code release.
“An important feature Snyk has is a very complete vulnerability database that classifies security issues,” Rizzo said. “Since we had a roadmap of outstanding vulnerabilities, we could reduce our risk exposure right away by focusing on the high severity issues first. The Snyk reports really helped our security and engineering teams prioritise vulnerability fixes since the early stage”.
The Impact: Improved confidence in overall security posture
Introducing Snyk into the TMG’s CI/CD pipeline has dramatically improved the company’s security posture. In fact, the TMG’s security team now has more confidence that developers are proactively minimising the risk exposure of their platforms and APIs as soon as new code is released. As a result, the TMG can continue to safely publish content that inspires its readers.
“From a technical perspective, we trust the Snyk reports and feel much more confident in the security of our software,” Rizzo said. “Snyk has also increased the pace that we can detect and minimise any risk exposure for our services.”