How Auth0 manages developer security at a high-growth scale

Étude de cas client

Marcin Hoppe

Senior Manager of Product Security

Secteur d’activité: Tech
Location: Washington, USA

Points forts:

Enabled Auth0 developers to manage security in an automated and easy way

Tracked the number of vulnerabilities resolved each month as well as how quickly these vulnerabilities are resolved

Core Mission

Marcin Hoppe is the senior manager of product security at Auth0. He leads the security team in closely collaborating with engineering to ensure secure code is deployed throughout the organization. As he describes it, the core of his mission is to help engineers at Auth0 build a more secure product.

To achieve this goal, rather than expecting engineers to become security experts, Hoppe and his team offer guidance and easy-to-use tools—including Snyk—to empower their developer counterparts to shift left; in other words, to bring security into the software development lifecycle early, often, and in an automated fashion.

Managing Dependencies and Mitigating Vulnerabilities

With a technology stack built on Node.js, which inherently includes many open source libraries and dependencies, Hoppe’s team often takes advantage of open source code and knew that dependency management can be particularly prevalent and hard to manage. They are focused on achieving visibility into the quality and security of the open source components they are using, and want to be able to see any risks that arise and address them quickly.

As Hoppe says, “My number one concern is discovering vulnerabilities faster than adversaries or malicious actors, while maintaining enough visibility into our open source supply chain to understand what we are pulling in. This way, we can react to risks appropriately and in a timely manner.” That’s exactly where Snyk comes in.

Why Auth0 Chose Snyk

Auth0’s security team realized early on that they needed a solution that would enable their developers to manage security in an automated and easy way. They chose Snyk because it was the most “complete and comprehensive” in helping them manage open source dependencies and mitigate risks, offering tools to help developers automatically find and fix vulnerabilities in open source code.

“The Auth0 team uses Snyk to make sure we are running on a secure foundation, no matter what.”

Identifying and Analyzing Vulnerabilities in Code

Auth0 needs visibility into vulnerabilities coming from all sources. Snyk helps them identify and analyze open source vulnerabilities and prioritize resolution. Previously, Hoppe’s team was using technical severity as the primary metric when deciding which vulnerabilities to resolve first. However, they realized over time there were better ways to prioritize.

For example, the team now analyzes whether a component processes customer data and whether the vulnerability has been identified by an outside, third-party source. These both serve as indicators that it is a higher-priority vulnerability. On the other hand, if a particular component is difficult for a potential attacker to access, it may be able to be deprioritized.

As mentioned earlier, Hoppe’s goal is always to discover vulnerabilities faster than outsiders, whether that is a customer or an attacker. Yet he does not want to slow down his development teams or forbid them from using open source components. Snyk helps the team balance these goals by identifying and managing vulnerabilities in all open source dependencies.

Snyk continuously tests for newly disclosed vulnerabilities, and dependencies are tested against Snyk’s comprehensive vulnerability database to provide clear and immediate information on the severity and prevalence of a particular vulnerability. This way, the development team can find and remediate vulnerabilities quickly without requiring frequent hands-on expertise from the security team.

Scaling Security by Integrating with Development Environments

One specific challenge that Hoppe’s team ran into was that, due to the nature of Node.js, command line security tools can be challenging to use. The security team stepped in and simplified the security process for developers by integrating Snyk into their development environment.

Specifically, Auth0 was running Docker containers, so the security team introduced a security container featuring Snyk right into the development environment. Now, every engineer can run Snyk and get the security information they need themselves, without having to deal with a challenging user experience around command line tools. In this way, the team has been able to scale security without having to dramatically increase the size of their security workforce, which can be a real challenge given the talent shortage.

Building Security Processes & Measuring Progress

An important responsibility of Hoppe’s team is to build security processes and offer tools (like the security container described above) that make it easier for developers to do their jobs. Whenever they see an opportunity to automate an aspect of security or make tools easier to use, they seize it.

Additionally, Hoppe’s team is tasked with measuring progress for teams at Auth0 who are working to improve their security posture over time. Right now, his team tracks the number of vulnerabilities resolved each month. They also track how quickly these vulnerabilities are resolved and how many have breached SLA.

Balancing Security and Business Requirements

Just about every organization out there must work to balance security requirements with business goals and needs. Hoppe and his team work closely with business stakeholders to prioritize security problems against business requirements and to balance the need to remain secure with the need to grow and be competitive in the market.

For engineers, it can be extremely hard to make decisions that involve security vs. business trade-offs, so Hoppe’s team serves an important role in liaising between these two parts of the organization. With tools like Snyk at his disposal, Hoppe can demonstrate to business stakeholders that his team is intelligently prioritizing security fixes and improving their security posture over time, while also keeping an eye on the bottom line.

Running on a Secure Foundation

Auth0 is a company with security at its heart, so it makes sense that they have embraced the importance of maintaining visibility into their security posture and a focus on continuous improvement. Backed by their partnership with Snyk, Auth0 has successfully balanced business needs with security requirements and continues to level up their posture as they embrace new, modern approaches to security throughout the entire organization.

À propos Auth0

Dans un monde où les violations de données se multiplient, Auth0 fournit une plateforme d’authentification et d’autorisation universelle pour les applications Web, mobiles et héritées. Ses outils, comme la connexion unique, l’authentification multifacteur et la connexion universelle, permettent aux organisations de simplifier la sécurité tout en facilitant la gestion des identités et des accès.

Auth0 est en phrase de forte croissance et a réalisé qu’il pouvait être difficile de renforcer son équipe de sécurité au même rythme que son équipe technique. Il est ainsi intéressant pour l’entreprise d’aider ses équipes techniques à opérer de manière la plus autonome possible en matière de sécurité. C’est en grande partie pour cette raison qu’Auth0 a adopté Snyk, qui permet aux développeurs sans grande expérience de la sécurité d’intégrer très facilement les meilleures pratiques, par exemple l’analyse des vulnérabilités, directement dans leurs workflows et outils.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk est une plateforme de sécurité des développeurs. S’intégrant directement aux outils, workflows et pipelines de développement, Snyk facilite la détection, la priorisation et la correction des failles de sécurité dans le code, les dépendances, les conteneurs et l’infrastructure en tant que code (IaC). Soutenu par une intelligence applicative et sécuritaire de pointe, Snyk intègre l'expertise de la sécurité au sein des outils de chaque développeur.

Démarrez gratuitementRéservez une démo en ligne

© 2024 Snyk Limited
Enregistré en Angleterre et au Pays de Galles

logo-devseccon