How Comic Relief’s developers used Snyk
to automate security and boost productivity

Key Achievements

  • Snyk helped Comic Relief to capitalise on the agility of using Open Source while staying secure.
  • Dev team resources were freed up, no longer needing to “focus on the mundane things, like the security of third party systems”.
  • Snyk was easily integrated into Comic Relief’s Concourse CI Serverless deployment pipeline
  • Junior developers are able to use Snyk to remediate vulnerable libraries

Challenges

For companies going through a digital transformation, Comic Relief’s story will resonate. Digital Transformation’s core principles switch from a “waterfall” approach where tools, code, and builds are vetted, to enabling dev teams autonomy of tool choice, usage of open source libraries and continuous deployment. Using third party libraries while increasing agility and productivity also introduces security risks.

"It’s incredibly hard to do due diligence on the vast amounts of 3rd party libraries we use: Which have been well maintained? Which have proven security posture? When we heard about Snyk we thought it’s a ‘no brainer’ and we have to start using Snyk!"

As Girish Nair, Head of Engineering for Comic Relief explains “Prior to having Snyk, 
out-dated dependencies were definitely a major concern. We didn’t have time to research each package for security posture or for security vulnerabilities or put a system in place to apply manual patches”. Comic Relief has to be risk averse, taking security incredibly seriously, “We want to do justice to our donors. We don’t want their data to be lost, we don’t want their transaction to be declined, we want to be worthy of their trust”. Balancing staying secure with being agile and using Open Source libraries was a significant challenge “there was no safe method of choosing the right set without investing significant resources, which we could better invest elsewhere”.

How Snyk

While Comic Relief’s use of serverless is still evolving, the company very easily integrated Snyk into their Concourse Continuous Integration deployment pipeline.

As part of the deployment pipeline, Snyk is able to check the dependencies in use for vulnerabilities. If a vulnerability is found the deployment is stopped. Alternatively if new vulnerabilities are discovered by the Snyk Security team (or others), or a new fix is available, either via an upgrade or a patch, Snyk will send a notification via email and a notification to the Comic Relief dev team’s slack channel. The Snyk alerts are triaged during the daily scrum, and the Comic Relief team decide on ownership of vulnerabilities remediation.

Comic Relief puts a lot of emphasis on growing junior developers. One key advantage of Snyk is the ease of vulnerabilities fixing. Using Snyk CLI’s `snyk wizard` command, developers of all levels can secure the third party code they use.

"You can tell Snyk was built by developers for developers"

 

The Results:

Since integrating Snyk, the Comic Relief dev team can focus on developing their code, and rely on Snyk to secure their open source libraries. “With the automation that Snyk provides we have been able to divert head count from mundane manual security work to highly productive feature development. Due to Snyk alerting us on new vulnerabilities in the form of a Pull Request (that already include the “fix”), we have shrunk what would otherwise be a lengthy triage->remediate manual flow to a simple “merge” we can do in minutes.”