The Challenge: Adopting modern security testing tools
The challenge that Visma faces is keeping secure across such a diverse set of technology stacks.
“We are one big company, but we consist of over 200 smaller companies or teams spread across many countries,” stated Per Olsson, Application Security Advisor at Visma. “This complicates things when running a large-scale, centralized security program.”
That’s why the company is always searching for the most cutting-edge security tools to continuously improve its security posture.
“We regularly investigate whether we’re using the best tools available to us, and we concluded that might no longer be true for our existing toolset,” stated Nicolai Brogaard, Service Owner of Software Composition Analysis (SCA) and Static Application Security Testing (SAST) at Visma. “We wanted to move into the next generation of security testing tools.”
The Solution: Choosing a developer-first solution
When Visma was evaluating security tools, the ability to automatically onboard developers and provide an intuitive interface was crucial. Snyk Open Source now enables over 140 development teams to detect and remediate vulnerabilities within the third-party dependencies they use. Snyk’s intuitive interface encouraged developers to adopt the tool and take ownership of security without friction.
“The key success metric is how simple a tool is to onboard,” explained Brogaard. “Introducing new tools, especially in the security world, is not easy to do. You have to prove that there’s significant advantages to the tool, and in the case of Snyk, everybody agreed there was.”
In addition, the Visma Cloud Delivery Model (VCDM) is the company’s internal governance structure, which includes the Visma Application Security Program (VASP). As part of this, Visma has a maturity index that measures each of its underlying companies using numerous metrics, including the level of onboarding of security tools and number of outstanding vulnerabilities. The Snyk API enables Visma to easily pull this data from across code projects.
Visma’s plug-and-play approach with Snyk
With the sheer size and diversity of Visma’s technology stacks, the integrations Snyk provides were also critical. There are no governance limitations for the tools that each development team can use, only that they should implement the security testing tools that the security team has chosen. That’s why Snyk’s strong ecosystem of plugins and integrations was a key deciding factor for enabling Visma’s developers to safely use the tools of their choice.
The problem with a lot of these security testing tools is that they require so much background knowledge, so you can’t really just plug-and-play them in your environment,” Brogaard said. “So one of the differentiating factors with Snyk is enabling developers to quickly get started and figure things out themselves.”
The Impact: Visibility into vulnerabilities across 20,000 projects
Since implementing Snyk, Visma has completed over 600,000 tests to date across over 20,000 code projects. The majority of these tests were initiated automatically during the development process. Through these efforts, Visma has been able to reduce high severity vulnerabilities by 65% and critical severity vulnerabilities by 39%.
Want to learn more about Visma’s journey? Watch the company’s presentation at SnykCon 2021: Lessons learned from building a developer-first AppSec program.