May 2, 2019

Information Security Policy

Table of Contents

  • Background

  • Commitment to Security

  • Corporate Security Management

    • Security Responsibilities

  • End User Privacy

  • Information Access Control Management

    • Customer Environment Access

    • Access to Production Servers

    • Data Segmentation between Organizations

    • Network Access

    • Billing

  • Human Resources Security Management

    • Background Checks

    • Security Training

    • Off-boarding

    • Social Engineering

  • Physical Security Management

    • Snyk Offices

    • Data removal

    • Guests

  • Operations Management

    • Development and Testing

    • Malware Mitigation

    • Community Notifications

    • High Availability, Disaster Recovery and Database Backups

    • Data Retention and Destruction

    • Data Archive

    • Network Security

    • Monitoring

  • Information Systems Security Management

    • Laptop Security Controls

    • Vulnerability Management

    • Source Code Controls

    • Disciplinary Action

    • Policy Review

  • History and Versioning


Background

Snyk (the "company") is a software development company, that builds automated software to analyze 3rd party libraries and help companies understand and secure their software dependencies, starting with tools that find, fix and monitor for known vulnerabilities in Node.js npm and Ruby packages.
The company is headquartered in London, United Kingdom, with an R&D office in Tel Aviv, Israel.

Information stored and processed in Snyk’s IT systems, is an integral part of doing business. Protecting the confidentiality, integrity and availability of this data is a key principle in the management conduct.

The information security policy presents the management commitment to information security, and the key elements that allow the company to maintain the required information security level.

Commitment to Security

Snyk is committed to maintaining a safe and secure environment for our customers and partners. As a leader in security developer’s tools, Snyk holds great value in maintaining the highest standards of data security. This includes providing clarity about the measures taken to ensure those standards.

The Snyk Information Security Policy establishes the rules, guidelines and practices for protecting data assets on Snyk's information systems and associated infrastructure, hardware and networks, through an intelligent architecture of security controls and monitoring.

All Snyk employees and authorized contractors, regardless of their titles, positions and geographical locations must adhere to this Information Security Policy.

Corporate Security Management

Security Responsibilities

Snyk has assigned Danny Grander (danny@snyk.io), Snyk’s co-founder as its Information Security Officer. The security officer’s main responsibility is protecting the confidentiality, integrity, and availability of Snyk’s data and computing assets. Other key responsibilities include:

  • Product security architecture and strategy

  • Vulnerability management

  • Security incident response

  • Risk assessment and audit

  • Security awareness

Snyk performs regular risk assessments. The scope of these assessments varies, and, depending on the need, they are performed either in-house or by a trusted third-party provider. Snyk keeps up-to-date with the latest security vulnerabilities, ensuring its servers are continuously upgraded to maintain the highest level of security, and immediately updated with security patches when critical security vulnerabilities are reported.

End User Privacy

Snyk is committed to protecting end-user privacy, across all Snyk tools, CLI and web portals.
Snyk's privacy practices are described in further detail online at:

https://dev.snyk.io/policies/privacy

Information Access Control Management

Customer Environment Access

Snyk is committed to keeping our customer’s confidential data protected at all times. Access privileges to customer information are granted on a “need to know” basis, and need to be approved by a member of Snyk’s management team and then pass final access review by Snyk’s security officer. Access to production environments is restricted to Snyk support/operations personnel and a limited number of Snyk’s development team.

Customer information is never stored on physical servers located in the Snyk offices or as printed material. When there is a need to copy production information to an employee’s local computer, this information will be anonymized to prevent any potential privacy violation and deleted once it is no longer required.

Any access to a customer environment, either by a customer or Snyk personnel, is logged in Snyk’s production environment and kept available for future analysis. Logs are stored for a minimum period of 30 days .

Access by Snyk personnel to customer environments requires using a password that complies with Snyk’s password strength policy, which enforces a minimum of eight characters in length and three complexity levels. All administrator passwords stored in the Snyk database are hashed with one-way HMAC. Hashing salts are safely secured on separate media with limited access rights.

For more details on log and data retention policies: https://cloud.google.com/logging/quota-policy

Access to Production Servers

Access to Snyk’s production servers or their managing interfaces (e.g. Snyk’s management console) is restricted to Snyk operations and support personnel and a small number of Snyk R&D team members, who require this access to perform their duties.

Access controls to production servers are reviewed every six months at a minimum.
Access reviews are documented in a designated log file.

Data Segmentation between Organizations

Snyk’s production environment serves thousands of users while partitioning data such that each user can only view data related to his communication with Snyk’s application. Software-based infrastructure prevents the possibility of data leakage between different user’s views due to human error.

Network Access

Snyk maintains wireless networks in its offices. In order to segment sensitive corporate traffic, from public traffic, Snyk has established “Guest” and “Corporate” networks, both secured using WPA2 encryption.

Mail, Analytics, Support and other 3rd party Tool Access

Snyk maintains a list of 3rd party tools each employee has access to, including the level of access (basic, administrator), and whether the access is required on a temporary basis or not. The list is reviewed quarterly (or in an event of employee termination) by the CISO to verify accuracy and detect areas where access can be restricted. Administrator access to various tools is kept to a minimum.

Billing

Snyk uses a PCI-compliant 3rd-party services (Stripe) to manage credit card transactions, and does not store or see any credit card information. For more info about Stripe’s security, go to:

https://stripe.com/help/security

Data Classification

  • Snyk has two classes of data: sensitive data, non-sensitive data.

  • Sensitive data is described as:

    • Personal HR information (personal, financial and health information of employees).

    • Intellectual Proprietary (source code, R&D plans).

    • Business information - clients (client base, client statistics, etc')

  • All policies and procedures shall take data classification into effect.

  • Personally Identifiable Information (PII) shall be registered as required by ICO (Information Commissioner Office)

Human Resources Security Management

Background Checks

Snyk performs a background check on any new company personnel (including full-time employees, part-time employees and contractors), subject to limitations prescribed under the applicable law. Background checks include interviews, social media research, legal publication databases, reference calls and hiring services of independent 3rd party background-check companies.

Security Training

During new hire employee onboarding, employees undergo a security awareness training session that addresses each employee’s security responsibilities. Sessions cover the following topics:

  • Ensuring customer data protection

  • Corporate security considerations including confidentiality of information and intellectual property protection

  • Understanding security threats like malware and phishing

  • Understanding physical threats

  • Laptop security

  • Reporting security incidents

Security guidelines are refreshed annually via mandatory training for all Snyk employees.

Off-boarding

Snyk maintains a documented procedure describing the steps that need to be performed upon termination of an employee, and has designated personnel to enforce the procedure. The procedure includes revocation of physical and virtual access to various systems, including production environments. In addition, the procedure describes the process to retrieve laptops and other hardware and how data and configuration is securely wiped off the devices.

Pursuant to Snyk’s Confidentiality Agreement, employees are required to surrender any confidential material (stored physically or digitally, printed or written) as it relates to processes, infrastructure, software, finances, or customer data.

Role and Duty Changes

As roles and duties evolve at Snyk, employee's scope of work will change and with that the permissions and access that are required to perform their duties. Upon such a change, the employee’s direct manager is responsible to notify the CISO of such change, after which permissions will be deprovisioned and newly provisioned based on the new scope of work.

Social Engineering

Snyk regularly educates its employees regarding social engineering threats, including email phishing, email spoofing, threats, coercion, intimidation, gifting, befriending and similar. Snyk employs SPF and DKIM signatures and validation on all email and uses DMARC and other advanced anti-phishing technology to prevent spoofed and phishing emails to reach its employees. Employees are instructed never to inject an unknown USB, CD or other media into their laptops and desktops.

Support staff undergo additional training regarding what type of information they may disclose in support inquiries from customers. Namely, company personnel, Snyk’s internal organization information, and information about other customers is never shared on support inquiries. Historical data from the complainant’s account, may be released under certain circumstances, and if so only after complainant is authenticated. Such data is only delivered back via the customer’s portal within the Snyk app and never via email or the support ticketing system.

Physical Security Management

Snyk does not store customer information on physical servers located in the Snyk offices or as printed materials. Snyk utilizes ISO 27001 and FISMA certified data centers managed by Google. Google has many years of experience in designing, constructing, and operating large scale data centers. This experience has been applied to the Google platform and infrastructure. Google data centers are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Google only provides data center access and information to employees with legitimate business needs. When an employee no longer has a business need for access privileges, his or her access is immediately revoked, even if they continue to be an employee of Google.

All physical and electronic access to data centers by Google employees is logged and audited routinely.

For additional information see:

Google:
https://cloud.google.com/security/compliance
https://cloud.google.com/security/whitepaper

Snyk Offices

Access to the Snyk offices is restricted using:, a digital FOB to access the building and a key to the office (London branch); office key for on-hours (Tel Aviv branch); gate key, elevator key and office key for off-hours (Tel Aviv branch). In addition, during all office hours visitors to the Snyk offices are required to be accompanied by Snyk employees at all times. During off-hours, the office space is wired with a digital alarm which prompts a 24/7 security company. Shredders are available to employees to securely dispose of sensitive information.

Lost or stolen keys or FOBs are to be reported immediately to the office administrator. Stolen or lost keys trigger a replacement of all impacted office locks. Lost or stolen FOBs are remotely disabled.

Data removal

Media and devices that leave Snyk's facilities and controls – either temporarily or permanently, require the security officer's review and confirmation, and are subject to data deletion processes, using data scrubbing software, media destruction, or any other means at the security officer's discretion.

Decommissioning of physical hardware used as part of Snyk’s production environment is performed by Google and includes the destruction of the data stored on the hardware, as detailed the “Hardware tracking and disposal” section of the Google security whitepaper (see https://cloud.google.com/security/whitepaper)

Guests

A guest is any person, who is not a Snyk employee or authorized contractor ("Employee"), including family members, friends, etc. Snyk's desktops, laptops and other devices are to be used only by Snyk's employees.

Unknown guests are identified with a government issued ID, and must be escorted at all times by a Snyk employee.

Guests are not allowed any access whatsoever to Snyk's devices. Guests are welcome to connect their laptops, tablets and smartphones to Snyk's guest wireless network for internet access. Snyk’s IT department will not provide support for guest computers. If a guest wishes to print a document, the guest should forward the document by email to an employee, who will print the document (after additional virus and malware scans).

Operations Management

Development and Testing

Snyk employs multiple methods for ensuring high coding standards and to minimize the number of bugs. These methods include a mandatory review process for each piece of code added into the product, automated code review tools and a continuous integration framework that runs unit-level as well as system-level automatic tests. Snyk also utilizes a staging environment on which changes can undergo full manual testing before being rolled out into production.

Snyk’s R&D department includes a Quality Assurance (QA) team, which has the sole responsibility of ensuring that Snyk products maintain a high level of quality.

Snyk’s R&D uses an agile development process that enables frequent rollouts into production, but also maintains the capability to rollback changes in case problems arise following a deployment to production. Snyk performs periodic security assessments on its production environment, utilizing both inherent internal expertise as well as 3rd-party tools in order to ensure that products meet the highest security standards. As issues are discovered, tickets are filed and remediation is initiated. Following the implementation of the relevant fixes, retesting is performed to ensure the vulnerabilities are resolved.

Snyk employs the power of the community to further enhance its internal security, and from time to time maintains a security bug bounty program (https://dev.snyk.io/docs/security), in which members of the general community are rewarded for identifying and responsibly disclosing discovered vulnerabilities to Snyk.

These steps, as well as additional guidelines aimed at ensuring all security requirements are met, are defined as part of Snyk’s System Development Lifecycle (SDLC).

Penetration Testing

Snyk enlists the services of external pentesting firms to perform application and infrastructure level penetration tests. External pentesting is performed at least once annually. In addition, internal pentesting is performed by our seasoned security team at least twice annually.

Malware Mitigation

Snyk’s R&D, Operations and Support departments use exclusively Apple OSX operating systems. While malware has not traditionally been a significant threat to the security of these systems, Snyk does take active steps to ensure its employees’ computers are not compromised. All employee laptops and desktops are setup with SentinelOne end-point protection system, which monitors for malware and exploitation threats real-time.

Community Notifications

The Snyk security officer receives periodic security notifications from a variety of information security resources. When a threat is discovered, an assessment of its impact is performed and mitigation steps are planned. High-risk vulnerabilities are immediately communicated to all Snyk employees along with instructions on how to remediate the vulnerabilities. Additionally, Snyk employees are encouraged to install only reputable software, to regularly patch their preferred browser, to use internal security mechanisms (FileVault, Firewall) and to regularly run Mac OS’s Software Update.

3rd party Vendor and Subcontractor Management

All subcontractors and 3rd party vendors must be approved by the CISO before engagement. The CISO will assess and approve the 3rd party vendor’s security stature, including reviewing the vendor’s policies and procedures relating to security, data, privacy and so on. Such assessments will be done yearly or any time there is a major change in the engagement or services consumed. Such reviews are logged and maintained in a separate vendor assessment log.

High Availability, Disaster Recovery and Database Backups

Each critical server in Snyk’s cloud environment is backed by either duplicate multiple instances (multiple availability zones) or a slave node (for databases) to which failover can be performed, ensuring mini mal system downtime in case of a critical failure. The automatic failover process is triggered by the underlying cloud infrastructure after it has been determined that a component is unable to reliably respond to requests.

The impact on end user experience in cases of downtime is also minimal. There will not be any visible impact on the functionality of the Snyk website and APIs, rather, only a delay in serving some of the request.

Database backups of Snyk’s production system are taken daily and prior to any major upgrade or configuration change to Snyk’s production environment. These backups allow, in the event of a disaster, the creation of a replica environment within a minimal period of time.

Data restores are exercised quarterly to ensure the data and processes are intact.

Data Retention and Destruction

Snyk retains database backups for a minimum period of 90 days, where daily backups are stored for last 7 days, weekly backups stored for last 4 weeks, and monthly backups stored for last 3 months. Detailed production logs, including logs of access to the management server are retained for 30 days.

Logging of end user activities is maintained for a period of at least six months, enabling analysis of past threats.

Decommissioning hardware is managed by Google using a process designed to prevent customer data exposure, including techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual“) and NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data.

Data Archive

The following rules will apply to data that is no longer used, but needs to be maintained for auditing, bookkeeping, regulatory requirements (e.g., Tax Authority requirements), defending potential claims and for other legitimate and lawful purposes:

  1. The data will be marked as archival data;

  2. Access to archived data will be limited to relevant personnel only (e.g., CEO, CFO, VP products, IT manager, R&D manager, and legal advisor);

  3. When the purpose for maintaining the data is ended, or seven years have lapsed since the data was archived, whichever comes first, the data will be removed from Snyk's system.

Network Security

Snyk’s application cluster is hosted on Google’s Cloud Environment. In this model, the underlying cloud platform provides network security controls, while Snyk’s network and system architects configure the various routing and security groups in collaboration with Snyk’s operations personnel.

Snyk’s application cluster is protected by a security group, which provides network access filtering from the broader Internet. Filtering is maintained to allow incoming connections only on specific ports and protocols required for the cluster’s standard operation.

Database ports are not exposed to the Internet. Additionally, Snyk uses a configured host-based firewall to further isolate traffic on individual instances.

Changes to the security groups, network layout, ports, firewalls, routers or other network infrastructure need to be approved by the head of IT, and executed by at least two technicians, followed by a manual check for consistency.

For Distributed Denial of Service (DDoS) mitigation, Snyk relies on Google’s proprietary DDoS mitigation techniques that reduces exposure to successful DDoS attacks, and also provides further Internet access diversity by using a large number of ISPs.

Google also maintains the capability and responsibility for detecting illicit port scans on Snyk’s cloud environment. While port scans are generally ineffective against Snyk’s cloud environment due to the minimal number of inbound open ports, when unauthorized port scanning is detected, scans get blocked and notifies Snyk personnel are notified.

System Hardening

Snyk employs best practices around hardening production servers to minimize risk surfaces and keep up to date with latest security standards.

All of Snyk’s hardware servers are virtual and provisioned from certified and reliable images. The CISO and head of IT are subscribed to the security update feeds of the relevant operating systems and security patches are regularly applied, with the critical updates being applied within 24 hours of release.

Filesystem permissions follow a least-privilege approach, where folders and files are carefully assigned to groups and users who need the relevant read or write access.

Legacy services such as telnet-server; rsh, rlogin, rcp; ypserv, ypbind; tftp, tftp-server; talk, talk-server are removed. Other services/daemons are only executed as needed, on non-standard ports.

All servers are installed with OSSec for server level monitoring.

Root user is set to ‘nologin’, and any access to the machine needs to be made with personal accounts to allow auditability. SSH access requires key and password.

All virtual hardware is routinely respun from the certified image to prevent long standing breaches or data leaks.

Network, routing and other infrastructure are all virtual and managed by our cloud platform (Google Cloud Platform), who are responsible for keeping those property patched and up to date.

Monitoring

Snyk uses multiple internal and 3rd-party tools for monitoring its production environment and protecting it against potential threats or errors:

  • An internal notification mechanism is in place to alert Snyk operations and support teams on different anomalies detected in production.

  • Google Cloud Monitoring analytics tool is configured to continuously monitor Snyk’s production environment status, including server availability, CPU, memory, disk space and other key metrics; the Cloud Monitoring tool also sends alerts to Snyk’s operations team based on preconfigured policies.

  • Pingdom website monitoring tool is used to further track uptime and performance of the website

  • Logz.io is used for continuous log monitoring and archiving

  • Sentry is used for live production bug and regression tracking

An internal production monitoring dashboard aggregates information from Snyk’s multiple systems and provides Snyk operations personnel with a clear view of Snyk’s production environment status.

Snyk also operates a support ticketing system allowing administrators and end users to report any issues or errors they encounter while using Snyk’s web based solution.

Information Systems Security Management

Laptop Security Controls

Snyk’s R&D, Operations and Support departments use exclusively Apple OSX operating systems. To maintain the security of Snyk data on laptop and desktop computers, Snyk has implemented the following controls:

  • Standardized password authentication requirements, enforcing password strength of at least 8 characters.

  • Enforcing screen lock after 10 minutes of inactivity

  • Enforcing hard drive encryption (FDE) using FileVault

  • Usage of OSX built-in firewall

Additionally, Snyk employees are encouraged to install only reputable software, to regularly patch their preferred browser and regularly run Mac OS’s Software Update.

Vulnerability Management

Snyk cloud servers use the Ubuntu Linux distribution. The Ubuntu Foundation demonstrates their security commitment by frequently updating their host operating system to address security issues.

In addition, Snyk’s security officer receives periodic notifications from various information security resources. When a threat is discovered, an assessment of its impact is performed and mitigation steps are planned and implemented by the Snyk R&D team. Critical vulnerabilities are mitigated within a period of 30 days.

Source Code Controls

Snyk maintains its source code in private repositories on GitHub. Access to the relevant repositories is restricted to Snyk personnel required to have access to source code as part of their duty. GitHub access requires MFA (Multi Factor Authentication) for all employees and contributors.

Incident Reporting and Management

Snyk is committed to reporting any incident that may impact its customers as soon as possible, especially when customer data may be involved. Customers will be notified by Snyk once an incident that potentially impacts them has been confirmed. As the incident investigation proceeds, customers will receive proactive updates on the nature of the incidents and its impact on them.

Customers can also use Snyk’s support ticketing system for reporting any suspected security incidents.

If an actual security breach occurs, the following actions will be taken:

  1. Public access to the breached system will be disconnected.

  2. All access and audit logs during the previous 30 days will be copied to a side location.

  3. The CEO, security officer and legal counsel will be immediately notified.

  4. Details of the breach will be investigated, and all necessary measures will be taken to secure the cause of the breach and prevent similar breaches in the future.

  5. Affected parties, including customers, if affected, will be notified, subject to the provisions of the applicable law and pursuant to Snyk's contractual obligations.

  6. The breached system will go through a full security scan.

  7. The security officer will issue a report of the incident and the measures taken to resolve it

At the conclusion of an incident, a post mortem session is conducted with the relevant Snyk personnel to assess underlying causes, determine longer term needs and improve Snyk’s risk and incident management processes.

External notifications for incident reports:

Who

Emaill

Google/Apigee

external-incidents@google.com

The Guardian

infosec@theguardian.com

Disciplinary Action

 Disciplinary action may be taken against personnel who violate or disregard the rules and guidelines contained in this Information Security Policy.

Policy Review

Snyk's security officer will review this policy at least every 6 months and following every major security incident, will make amendments as necessary, submit new versions of the policy to
Snyk's CEO's approval, and distribute them to all Snyk personnel.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo