How Comic Relief’s developers used Snyk to automate security and boost productivity as part of their Digital Transformation.
Ellen Van Keulen
22 de março de 2018
0 minutos de leituraSnyk helped Comic Relief to capitalize on the agility of using open source, while staying secure. With dev team resources were freed up — no longer needing to “focus on the mundane things, like the security of third party systems” — Snyk easily integrated into Comic Relief’s Concourse CI Serverless deployment pipeline, allowing junior developers to use Snyk to proactively remediate vulnerable libraries.
“It’s incredibly hard to do due diligence on the vast amounts of 3rd party libraries we use: Which have been well maintained? Which have proven security posture? When we heard about Snyk we thought it’s a ‘no brainer’ and we have to start using Snyk!”
Peter Vanhee, Engineering Practice Lead at Comic Relief
Challenges
For companies going through a digital transformation, Comic Relief’s story will resonate. Digital Transformation’s core principles switch from a “waterfall” approach where tools, code, and builds are vetted, to enabling dev teams autonomy of tool choice, usage of open source libraries and continuous deployment. Using third party libraries while increasing agility and productivity also introduces security risks. As Girish Nair, Head of Engineering for Comic Relief explains, “Prior to having Snyk, out-dated dependencies were definitely a major concern. We didn’t have time to research each package for security posture or for security vulnerabilities or put a system in place to apply manual patches”. Comic Relief has to be risk averse, taking security incredibly seriously, “We want to do justice to our donors. We don’t want their data to be lost, we don’t want their transaction to be declined, we want to be worthy of their trust”. Balancing staying secure with being agile and using open source libraries was a significant challenge “there was no safe method of choosing the right set without investing significant resources, which we could better invest elsewhere”.
How Snyk Helped
While Comic Relief’s use of serverless is still evolving, the company very easily integrated Snyk into their Concourse Continuous Integration deployment pipeline.
As part of the deployment pipeline, Snyk is able to check the dependencies in use for vulnerabilities. If a vulnerability is found the deployment is stopped. Alternatively if new vulnerabilities are discovered by the Snyk Security team (or others), or a new fix is available, either via an upgrade or a patch, Snyk will send a notification via email and to the Comic Relief dev team’s slack channel. The Snyk alerts are triaged during the daily scrum, and the Comic Relief team decide on ownership of vulnerabilities remediation.Comic Relief puts a lot of emphasis on growing junior developers. One key advantage of Snyk is the ease of vulnerabilities fixing. Using Snyk CLI’s snyk wizard command, developers of all levels can secure the third party code they use.
“You can tell Snyk was built by developers for developers”
Peter Vanhee, Engineering Practice Lead at Comic Relief
The Results
Since integrating Snyk, the Comic Relief dev team can focus on developing their code, and rely on Snyk to secure their open source libraries. “With the automation that Snyk provides we have been able to divert head count from mundane manual security work to highly productive feature development. Due to Snyk alerting us on new vulnerabilities in the form of a Pull Request (that already include the “fix”), we have shrunk what would otherwise be a lengthy triage->remediate manual flow to a simple “merge” we can do in minutes.”
“We would recommend Snyk especially to agile teams doing big things fast, and those who also have an eye on security and are big on all aspects of quality. “
Peter Vanhee, Engineering Practice Lead at Comic Relief
About Comic Relief
Comic Relief is a major UK charity, with a vision of a just world, free from poverty. Well over 1 Billion Pounds has been raised in the UK since launching in 1985 by running Red Nose Day, a biennial telethon held in March, alternating with sister project Sport Relief. On May 2015 NBC aired the first ‘Red Nose Day’ in the US, and it has been continuing annually since.
For more information about how you can leverage Snyk for your protection, drop us a line: contact@snyk.io