The Challenge: Gaining greater visibility into potential vulnerabilities
With over 200 developers and a wide range of open source technologies in use at Australia Post, the company needed more visibility into potential vulnerabilities within its growing code base. After successfully implementing Snyk for open source dependencies, Australia Post has been expanding its capabilities to cover other aspects of its technology stack.
“As we looked at all the dependencies we have in our code base and the sheer number of technologies that we operate through the organization, we needed to really get a handle on the associated risks and vulnerabilities” stated Evan Taylor, Cyber Defense Manager at Australia Post.
The Solution: Simplifying application security with Snyk
After evaluating potential security tools, Australia Post chose to implement Snyk Open Source in large part because of its simplicity. The company wanted a solution that could operate with little to no manual interaction by developers, while also giving them the contextual information necessary to remediate vulnerabilities.
“The less impact we can have on a developer’s workflow the better, so the seamless integration aspect of Snyk was very important to us,” said Taylor. “The consumable data Snyk provides is actually what helps us turn the dial and uplift our security maturity”
Australia Post also recognized that the developer-friendly approach with Snyk Open Source made adoption easier for development teams, so rolling out Snyk’s additional products was the most seamless way forward. When Australia Post chose to begin a phased rollout of Snyk Container next, there was even less friction because developers were already familiar with the tool.
“As we had an existing integration with Snyk, it started to make sense to enable some of its other capabilities, such as Container, Code, or Infrastructure as Code, rather than implementing other tools,” Taylor explained.
The developer perspective was crucial
Taylor’s security team at Australia Post are well aware that the application security tools they choose aren’t consumed by them, but by the development teams. Because developers would be impacted by Snyk, it was crucial that they were part of the evaluation process from the start to get the most value out of the product.
“Our approach is to work directly with the development teams to understand the outcomes they’re looking for,” explained Taylor “and help them work security into the work that they’re doing rather than it being considered after the fact.”
The Impact: Improving maturity of application security practice
Snyk has enabled Australia Post to gain greater visibility into its code base by increasing scanning coverage using Snyk’s multiple integration options. In turn, this has helped the company reduce new and existing vulnerabilities.
“Our metric for success is less about the total amount of vulnerabilities, and more around the trends,” Taylor explained. “Over time, we’re starting to see the number of new vulnerabilities introduced into production environments reduce.”
In fact, Australia Post has been able to achieve an 84% reduction in critical vulnerabilities being merged from development into test over the past 6 months. Besides reducing new vulnerabilities, Australia Post also cites developer engagement as an important success metric. It’s challenging for the security team to change the operational workflows of developers, so it’s been encouraging for the company to see development teams take the initiative to apply security principles and practices themselves using Snyk.
After the success of implementing security scanning for open source dependencies and containers, Australia Post is now focused on rolling out Snyk Code and is assessing Snyk Infrastructure as Code. This will enable the company to achieve comprehensive security for the modern application technology stack using one centralized solution.
“Snyk is an integral part of our developer workflow,” concluded Taylor. “The scans provide very valuable data when we’re doing security reviews and security testing, which helps teams prioritize remediation activities.”