Breathe Life

How Breathe Life established a developer-first security culture with Snyk and StackHawk


Francois Allard

Director of Engineering

業種: 非営利団体
Location: Canada


Leverage Snyk and StackHawk for visibility into their environment - increased security posture visibility by 41% in past 3 months

Achieved 400% increase in developer adoption in 3 months

These tools allowed all engineering teams to be involved in software security

Engineering teams are able to drill down and see which specific transitive dependency created a vulnerability

Snyk and StackHawk showed Breathe Life that their platform is free of major vulnerabilities

The Challenge

Francois Allard spearheads this mission as Director of Engineering. His Developer Experience team has the two-fold task of enabling engineering teams to build and operate scalable, secure and resilient apps with high velocity, while empowering customer development teams to seamlessly integrate their systems with our platform through self-service. These industry leading goals require cutting edge tooling that supports a developer-centric approach to security — making Snyk and StackHawk the perfect partners.

Privacy and compliance

Working in the insurance industry makes highly sensitive data and strict regulations a daily concern for Breathe Life. When security is crucial, having a robust vulnerability management program is paramount and this means we need to invest in the best tooling available.

“We need tools that will be able to follow our pace: we know the value of quick and small iterations on our platform, and we can’t be slowed down by lengthy processes or clunky tools.”  said Francois Allard.

While navigating privacy laws was a driving factor in seeking a security solution, the team “didn’t put in place these solutions with the goal of only ‘checking the box’ of those compliance requirements. We understand the value that these solutions are providing us and would have [gone] forward with these even without the compliance need” (Allard).

Demands of modern development

Like many web teams, Breathe Life utilizes open source components to form the framework of their applications running on Google Kubernetes Engine (GKE). Monitoring the countless dependencies themselves is an impossible task. So, the team needed a platform that increased visibility within the software and scanned open source dependencies and containers at depth.

The Solution: Developer-centric tooling

Since Allard runs a developer-centric team, choosing a solution designed by and for developers was the logical next step. Many security tools are built to target large organization’s centralized security teams — which opposed Breathe Life’s mission of having all engineering teams involved in the security aspect of our software.

Breathe Life was already using the freemium version of Snyk Open Source, so evaluating the paid plan was a natural progression. The combination of Snyk Open Source and Snyk Codeallowed them to easily identify the minimum version they needed to upgrade vulnerabilities to. Additionally, the team could see which specific transitive dependency is incorporating the vulnerability and if we can update those by removing the version pinning on those transitive dependencies so we can get the most updated version while respecting the SemVer of parent packages.

After seeing StackHawk in action at a DevOps conference, Allard and team were interested in seeing if it would be a fit. The fact that StackHawk and Snyk were already partners sweetened the deal by displaying the synergistic approach of our tools. StackHawk’s ability to identify all the relevant APIs to scan using the OpenAPI spec within an application made it easy to incorporate into Breathe Life’s CI/CD stack and manage findings in the platform.

The Impact: Growing with confidence and peace of mind

The increased visibility provided by Snyk and StackHawk have been impactful for the Breathe Life team. Snyk Open Source’s scanning gave developers additional details that made fixes more efficient and ensured all transitive dependencies were secure. In fact the team has increased visibility into their security posture by 41% in past 3 months.  StackHawk’s ability to leverage the open API let them scan the real application and test the parts that mattered most (without the limitations of other products).

Though Allard and his team are still working out some automation kinks, they were able to address a big portion of the vulnerable transitive packages.

“Snyk Code and Stackhawk have shown us that, from an automated scan perspective, our platform is solid and does not contain obvious important vulnerabilities." stated Allard. "As we grow, those tools will give us some confidence that it remains this way.”

Whether you’re a young company just starting to incorporate security or an established organization navigating the shift toward decentralization, Snyk and StackHawk can help. Experience modern dynamic application security testing with a free StackHawk account, and let Snyk help you find and fix vulnerabilities across your entire development life cycle with a free trial.

Snyk について Breathe Life

As a young insurtech company aiming to revolutionize the life insurance industry, Breathe Life has begun to rewrite industry traditions. Their modern life insurance distribution platform breaks the legacy software mold that prevents insurers from reaching the masses in order to make financial security accessible to everyone.

Snyk (スニーク) は、デベロッパーセキュリティプラットフォームです。Snyk は、コードやオープンソースとその依存関係、コンテナや IaC (Infrastructure as a Code) における脆弱性を見つけるだけでなく、優先順位をつけて修正するためのツールです。世界最高峰の脆弱性データベースを基盤に、Snyk の脆弱性に関する専門家としての知見が提供されます。


© 2024 Snyk Limited
Registered in England and Wales