TechnologyOne is more than just a global SaaS Enterprise Resource Planning (ERP) provider—it’s a company that builds, deploys, and operates all of its own software in-house, without relying on outsourced consultants. This end-to-end offering is a core differentiator and drastically changes the game for their customers. Fostering a deeply committed culture where they "care non-stop" about the security of their customers, whether they've been with them for six months or 20 years.
Nick Baker, the Security Operations and Engineering Lead, along with Chris Polkinghorne, Head of Security and Compliance Programs, knew that to maintain this high-trust standard and accelerate their development teams, they needed to fundamentally transform their Application Security (AppSec) program.
The challenge: Visibility gaps and development bottlenecks
In the past, they relied on a mix of open source tools and internally written static code analysis (SCA) tools. The homegrown tools, designed mostly for the company's majority .NET code, lacked coverage for new platforms and technologies the company wanted to explore. While these tools initially met basic security needs, they quickly became a bottleneck for the engineering teams.
Nick explains, “Being a company that was majority .NET code, it was a very narrow scope. There wasn't any tooling to support new platforms and technologies.”
The existing tools were too noisy, Nick added. “One report suggested ‘thousands of days of tech debt’; the false positives made it hard to have ‘healthy conversations’ with product teams.”
Security issues often surfaced just before release—the worst possible time. This was a major concern for the security team as there was a significant capability gap.
“There was no visibility for developers until they were about to ship,” Nick recalled. “That’s expensive. If they find a security issue, then they have to go back, fix it, and restart the whole cycle.”
For large products, even one fix could mean hours of rebuilds and retesting.
“Some of our software takes 30 minutes just to build,” Nick said. “If you have to do that three times for one fix, that’s 90 minutes of wasted time.”
The team needed to get security feedback to developers earlier, more often, and directly in their workflow
At that point, the requirements were clear: reduce noise, improve coverage across languages and frameworks, and give developers fast, contextual feedback they could act on.
The solution: A collaborative, high-signal, low-noise partner
When evaluating solutions, the TechnologyOne team had clear non-negotiables, all focused on making the tool an enabler for the business:
High signal, low noise: Legacy tools overwhelmed teams with non-actionable findings and lint-level issues.
Coverage gaps: The solution must support multiple languages across .NET, Node.js, Python, Go, and more—not just TechnologyOne’s legacy stack.
Comprehensive coverage: Coverage for both third-party analysis (SBOM) and static code analysis.
Scalability: The solution needed to scale to thousands of repos.
The Snyk team stood out as a true partner based on both technical fit and partnership fit. Nick noted, “Early meetings with Snyk felt like real problem-solving sessions,” Nick said. “It was collaborative from day one.”
The rollout of Snyk was swift and transformative. TechnologyOne onboarded all their software from their code repositories within a couple of days. This was a huge leap from previous tools.
“We needed coverage quite immediately, and we had that within a couple of days—not weeks, not months,” Nick said.
Snyk’s partnership extended beyond tooling. When a product team hit a blocker, the Snyk engineering team came prepared with a working fix and kept things moving.
“I was impressed; the product team was really happy with how it was handled.”
The impact: Speed and confidence
Speed-to-value matters, whether you have four developers or 400. With Snyk, security leaders could see secure practices happening without chasing every team.
Chris explains, “We want our development teams to go quickly and be safe as well. That's one of the non-negotiables. It provided that confidence layer - back data that shows teams are doing the right things while they're moving at pace.”
That aligns with TechnologyOne’s brand promise: safe, reliable innovation.
By replacing noisy, inefficient legacy tools, TechnologyOne achieved visibility across its vast codebase and reduced the time to fix vulnerabilities.
Real shift-left, improved developer experience without friction
Pull request scanning was rolled out overnight. “We were able to turn it on, and it made people's lives easier,” Nick notes.
That shift-left outcome wasn’t theoretical. It directly addressed an expensive part of TechnologyOne’s SDLC: late feedback loops that caused multi-hour rebuild cycles and slowed release approvals. Now, developers get recommendations in seconds - right at the line of code.
Chris said, “With Snyk and the IDE, the developer sees the line, gets the recommendation, changes it in seconds, and moves on.”
Security as an enabler, not a blocker
Snyk transformed the developer experience by integrating security feedback directly into the workflow, making it an enabler rather than a blocker. TechnologyOne's security culture is fundamentally different from many enterprise software companies.
The partnership with Snyk has transformed TechnologyOne's approach to application security, shifting the narrative from security as a development roadblock to a core enabler of speed and quality for developer workflows.
“We’re a security team that wants to be seen as enablers,” Chris said. “It’s rarely ‘No, you can’t.’ It’s usually ‘Yes—with conditions.’”
That mindset—fast and secure—is part of what makes TechnologyOne a standout place to work.
Looking ahead: Scaling developer training with Snyk Learn
Next up was rolling out Snyk Learn to deliver contextual, stack-specific training across teams. The goal? Make secure coding second nature.
Chris noted, “When you have hundreds of developers working on different platforms and different tech stacks, it's very difficult to craft a piece of training that is repeatable and solves all those unique challenges. Historically, our developer training was either ‘here's our core bread and butter software’ or ‘here's a generic one.’ There's a lot of disconnect in that.”
Nick added, “Snyk Learn gives us content tailored to each team’s stack—and that’s what makes it stick. No one likes doing generic training. With Snyk Learn, it’s relevant, engaging, and actually useful.”
By embedding Snyk into every layer of the software lifecycle, TechnologyOne has created a culture of secure-by-design that empowers developers to move fast and build confidence. This has proven that speed and security don’t have to compete. When done right, they power each other.