Snyk Security Addendum
Audits and Certifications
Snyk operates a formal Information Security Management System which is annually, independently certified to ISO/IEC 27001:2013 requirements with the objective controls of ISO/IEC27017:2015. In addition, Snyk undergoes an annual ISAE3402 SOC2 Type II audit to independently verify the effectiveness of its information security practices.
Snyk utilizes Google Cloud Platforms and Amazon Web Services for its computing and storage needs. Both of which continue to maintain appropriate Information Security certifications.
Information Security Resourcing
Snyk maintains a dedicated Information Security and Risk Team who are responsible for security risk throughout Snyk. They are split into three teams:
- Security Engineering - Development and maintenance of 24x7 enterprise security capabilities
- Product Security - Delivery and operation of secure internal and external products
- Audit & Assurance - Measurement and articulation of risk, opportunity and compliance
- Snyk is audited annually against the ISAE3402 SOC2 Type II standard.
- Snyk undergoes at least annual penetration tests
- Snyk is audited annually against ISO/IEC 27001:2013 and the additional objective controls of ISO/IEC 27017:2015
- The CEO is the executive sponsor of the ISMS. The executive receives monthly updates from the Information Security & Risk team.
Snyk will provide a copy of our ISO certificates, Statement of Applicability and SOC2 report and external penetration report on request.
- All employees are subject to background checks including right to work, employment history and criminal records check, as permitted by applicable law
- All employees are required to sign conﬁdentiality clauses as part of their acceptance of employment and must read and indicate acceptance of our security policies as part of onboarding.
- Security awareness training is provided on hire and throughout the year as part of a structured program, and retrained on a regular basis.
- We use OKTA as our central directory, which also enforces multi-factor authentication for logins.
- Administrative activity within the application, of both customer and Snyk are logged and retained for at least 90 days
- Starter-mover-leaver processes are managed according to a formal, ticket-based process. Access is provisioned on a role-basis according to the principles of least privilege and 6-monthly access reviews are conducted. Access to core tools is removed within 24 hours of termination.
Logging and Monitoring
- Snyk’s systems and network are monitored for security incidents, health abnormalities and availability
- Snyk’s production cluster is monitored by Wazuh, Akamai WAF and custom GCP alerting rules.
- Snyk user laptops are running a centralised Jamf EDR client.
- Snyk’s Information Security and Risk team is alerted of any suspected or actual incidents or abnormalities.
- Sensitive customer data is encrypted at rest with AES-256
- Data is encrypted in transmission with at least TLS 1.2
- Snyk maintains a formal vulnerability management program.
- Snyk aims to patch all critical vulnerabilities within 24hrs hours of identification.
- Internal scanning is carried out against our infrastructure on a regular scheduled basis.
- External penetration scanning is carried out by an external third party at least annually.
We operate a formal SDLC that includes:
- Container image management
- Independent validation of code changes
- Paired programming
Supply chain risk management
- All security-impacting suppliers must undergo security audit and sign standardized contractual security terms
- Suppliers undergo at least annual re-review, or sooner if significant change occurs to service offering or access requirements.
- We operate a formal incident management framework supported by senior engineering leadership and the Information Security & Risk team
- The incident management plan is reviewed at least annually with regular training, exercises and drills
- We will inform customers of any security incident that impacts on their data within 72 hours of discovery.
Disaster Recovery / Business Continuity
- Snyk maintains a formal Business continuity and disaster recovery program
- Snyk disaster recovery plans will be performed annually. The scope of the disaster and simulated impacted infrastructure will be chosen based on the combination of likelihood of an incident and the readiness of the team to react.
- Redundancy & hot-standby. Each Google Cloud SQL deployment includes a mirror replica setup as a hot-standby with data synchronized up to the speed of shipping data increments between GCP datacenters. The Google Cloud SQL service is set up for auto-failover allowing a seamless takeover of the hot-backup in case the master instance fails. Furthermore, the mirrored replica resides in a separate GCP availability zone, and availability zones are physically separate in GCP’s data centre, enabling the continuity of Snyk services even in the unlikely event that one of GCP datacenters becomes unavailable.
- Snapshots & point-in-time backups. Full database snapshots are taken daily and stored with a minimum retention of 90 days. Each snapshot is propagated to multiple GCP cloud storages in multiple availability zones and in multiple regions. Daily backups provide a last resort recovery in case of massive data corruption or loss.
- The Snyk Legal & Compliance team is responsible for managing privacy compliance and processes, with support from the Information Security & Risk team
- We perform annual privacy training for all employees, and operate a Privacy Champions program to build engagement and knowledge of privacy issues and requirements at the team level
Cyber Liability Insurance
- Snyk maintains cyber liability insurance with a limit of $20,000,000 per event and $20,000,000 aggregate including primary and excess layers.