The Challenge: Implementing comprehensive vulnerability scanning
As a licensed bank, Trade Republic focuses on security and adequate application security measures. The company decided to implement Snyk to comprehensively scan for vulnerabilities across its code repositories and throughout its build pipelines.
“We were looking for automated scanning of our container images and infrastructure as code templates,” stated Benjamin Igbeka, Security Engineering Manager at Trade Republic Bank. “From the start, we integrated open-source dependency scanning properly into our development pipelines.”
The Solution: Adopting Snyk for centralized visibility
After evaluating numerous security tools and providers, Trade Republic decided to implement Snyk because the company wanted centralized visibility. Using multiple tools was too difficult to maintain and didn’t allow Trade Republic to easily track all the issues in Jira. Snyk, on the other hand, could immediately enable all developers and cover open source code, containers, and infrastructure configurations.
In addition, Trade Republic integrated Snyk scanning into the company’s overall vulnerability management process. This enabled the company to gain visibility into third-party or supply chain security risks, which is crucial for adhering to regulatory requirements.
Snyk’s developer-friendly approach facilitates adoption
Trade Republic has seen a very high developer usage rate for Snyk since its initial roll out because the platform provides numerous integration options. Development teams could easily run scans from the Snyk CLI or by using IDE plugins. Snyk can also give developers security recommendations within pull requests. Ease of integration, therefore, was crucial for scaling Snyk across the organization. Thereby, Trade Republic identifies security risks already during the development phase of its software.
“Snyk is one of our most comprehensive security testing tools,” Benjamin said. “It covers our open-source libraries, containers, and infrastructure as code. So far, we’ve seen a huge adoption of Snyk by the developers.”
In order to further facilitate this adoption, Trade Republic’s security team offered training sessions and resources to help developers adopt Snyk for different languages and technology stacks. After a few months, the process was mostly hands-off for the security team because developers had become skilled at integrating Snyk for new projects themselves.
Snyk’s developer-friendly approach also helps Trade Republic prioritize vulnerability remediation effectively. A risk-based approach – where only higher severity vulnerabilities block developers from pushing code to the development environment – enables development teams to develop rapidly while also improving application security.
"The ability to give developers context early on was crucial,” explained Benjamin. “I wanted to ensure developers could check for security issues while writing code before committing to Git and get actionable remediation advice.”
The Impact: Improving application security posture
Through the adoption of Snyk, Trade Republic has been able to ensure the protection of sensitive customer data and elevate the security posture of its software from day one.
Gaining visibility into potential vulnerabilities and having confidence that they weren’t false positives was a crucial first step. Then, the teams were able to address newly identified possible vulnerabilities as part of the day-to-day development process. In the end, these improvements have solidified the security of Trade Republic’s infrastructure, software supply chain, and applications.
"Our developers integrated Snyk in their pipelines because it provides fast analysis with fewer false positives, and the remediation advice is actionable, even for non-security folks," concluded Benjamin.
