Revolut chose Snyk to comply with the updated PCI standards and for its agile approach

Highlights:

Fast developers adoption and easy integration to current workflow by the team that already had experience using Snyk in other projects.

Snyk’s agile approach and collaborative work process enabled necessary customizations required by Revolut.

Increased visibility makes it easy to find, prioritize, and fix the vulnerabilities affecting the entire infrastructure.

Alerting when newly disclosed vulnerabilities affect our projects.

Supporting the compliance to the updated PCI standards, required for Revolut’s audit process.

Custom license policy to prevent problematic licenses from being used in projects.

The Challenge: accelerate and scale an arduous security process

As a rapidly expanding company, Revolut no longer has the bandwidth to manually review each and every open source library. Currently, the company works on hundreds of different repositories, each with its own dependency, in a continuous integration environment. These daily strains on the DevOps team were resulting in decreased productivity with more and more time spent in minutia. They needed a solution that could work as quickly as they could scale, while also providing them with complete real-time visibility.

Additionally, considering Revolut operates in the digital banking industry, it’s especially crucial for them to achieve PCI compliance, but also keep that compliance as standards evolve and change every year. Recently, PCI requirements were updated to include securing open source dependencies and integrating security to the development process. So while Revolut already had PCI compliance, they needed to find a solution that would ensure they stayed compliant with any new requirements, especially those around open source.

The Solution: finding a reliable and efficient partner that can improve over time

As Revolut focuses on growth and servicing customers, the team needed a platform and support team that could be a reliable and efficient partner. Upon implementing Snyk, Revolut saw immediate results.

“Snyk was the only vendor that actually achieved all the success criteria, improving their product at the very same time,” said Evangelos Deirmentzoglou, Interim Head of Security at Revolut. “And during that time that we were constantly in communication.”

Snyk was also able to integrate into Revolut from a cultural perspective, providing constant support and a genuine passion for building the best possible platform and resolving technical issues and requests as quickly as possible.

Visibility to real-time security status is a key

As a fintech company, Revolut works with highly critical software where it’s imperative to have visibility into open source libraries. Snyk’s ability to monitor throughout the SDLC allows Revolut to identify and fix crucial issues as soon as they appear.

From my perspective it’s all about visibility. Even if you don’t have the ability to fix something, you are always aware of the current state,” said Evangelos Deirmentzoglou. “But so far, we’ve identified and fixed some very critical issues which is very important.”

The Impact: Quick developer adoption and compliance to the updated PCI standards

Snyk’s proven record as a developer-friendly tool was an added benefit for the Revolut team. As was Snyk’s reputation in the industry, with many of Revolut’s developers already familiar with and eager to use the platform. Thanks to Snyk’s ability to integrate with a variety of different development tools, it’s easy for developers to get the information they need in order to make necessary fixes.

I had developers coming to me, asking to give them access to the platform so they can monitor and patch their projects. We have automated the monitoring process with Slack integration, now developers get an alert on Slack for vulnerabilities in their project. So that is a huge benefit for the team,” said Evangelos Deirmentzoglou.

As a fintech company dealing with sensitive, private information, Revolut must keep to specific standards. Snyk implementation ensures the company’s ability to protect the core infrastructure and maintain PCI compliance among others.

“We get audited all year long. By using Snyk, we can say we’ve secured our open source pipeline,” said Evangelos Deirmentzoglou. “So it’s not just about improving our security exposure but also supporting our compliance efforts.

Revolut’s approach to managing security has improved as well with the implementation of Snyk. When faced with multiple vulnerabilities, it’s easy to get carried away and want to fix every issue as soon as it’s identified. But this time consuming approach doesn’t allow for teams to understand which issues are higher priority than others. Snyk’s platform ensures the team is able to view a holistic picture of the entire infrastructure, meaning engineers can easily identify exactly which of these issues are both fixable and impact the entire system so they can be fixed immediately. Knowing when and where to fix issues resulted in Revolut seeing decreased vulnerabilities across the board.

As for the advice Revolut gives to companies searching for open source security solutions?

“Choose a vendor like Snyk who is as keen to solve a problem as you are.”

Über Snyk Revolut

An den Start ging Revolut 2015 mit der Vision einer digitalen Alternative zu den etablierten Großbanken. Damals noch eine App nur für Geldüberweisungen und Devisenumtausch, entwickelte sich aus ihr peu à peu ein Digital-Finance-Komplettservice, der heute von Kreditkartentransaktionen und Budgetplanung bis zum Handel mit Wertpapieren, Rohstoffen und Kryptowährungen reicht. Mit wachsendem Erfolg expandierte das Unternehmen rasant, dies zunächst in Europa, dann auch international. Die Prozesse für Review und Monitoring von Open-Source-Bibliotheken allerdings gingen dieses Tempo nicht mit, erfolgten innerhalb des DevOps-Teams allesamt manuell. Eine effizientere Lösung war also gefragt. Eine, hinter der angesichts der hochsensiblen Finanzdaten, die das Unternehmen verarbeitet, zudem ein Partner mit umfassendem Know-how rund um Open-Source-Security stehen würde.

Für Snyk entschied man sich dann ob der nahtlosen Integration der Lösung in den Dev-Lifecycle, durch die deutlich effizientere Review-Workflows für die zunehmende Anzahl der für die App genutzten Open-Source-Repositories möglich wurden. Für die Wahl ebenfalls ausschlaggebend war die Agilität des Support-Teams: Potenzielle Probleme etwa bei der Integration adressierte es stets kompetent sowie direkt bei ihrem Auftreten.

Jetzt starten mit Sicherheit für KI-generierten Code

Sie möchten Code aus KI-gestützten Tools in Minutenschnelle sicher machen? Dann registrieren Sie sich direkt für ein kostenloses Snyk-Konto oder besprechen Sie in einer Demo mit unseren Experten, was die Lösung für Ihre Use Cases im Bereich Dev-Security möglich macht.

Unverbindlich und ohne Kreditkarte.

Mit Ihrer Registrierung bzw. Anmeldung stimmen Sie automatisch unseren Richtlinien zu, so etwa unseren Nutzungsbedingungen und unserer Datenschutzerklärung.