Skip to main content
Customers

Helvetia

Helvetia’s move to cloud leads them to Snyk

Setor: Finserv
Location: Switzerland

Products Featured

Snyk Container

Destaques:

Automatically detect lifecycle issues on their own written software

Transparency into the health of their applications

Enable development teams to evaluate the security of third party components they’re using in their application

The Challenge

As the Helvetia team started moving away from an in-house development stack on their journey to the cloud, this required renewed focus on security requirements and as such, an overview of the risks they were facing by running their own written software on cloud infrastructure.  They were managing their application security manually and included OWASP dependency checks and external security reviews.  However, since there were a lot of new applications in their environment, the process was too slow.  As they were developing software, they set up middleware and needed a tool to cover all the dependencies.  They wanted to move from a mode of “protection” with late-state security testing to “detection” earlier in the SDLC, effectively shifting left.  This required a tool to provide reporting in an automated manner.  Additionally, their legal team wanted a solution that would provide visibility into license use on their software.  The requirements for a detection software platform included:

  • Automated reporting on: 

    • Vulnerabilities in used dependencies

    • Lifecycle management

    • License use

  • An integration into the development cycle

  • Native support for:

    • Scanning container images

    • Code dependency scanning

  • Remediation information

  • Integration with Kubernetes / Openshift

  • Dependency scanning of their main programming languages

  • Compliance with ISMS and ISO 27001

The Solution

In order to migrate Helvetia’s runtime and development environments onto cloud infrastructure, the team knew its goal was to have an overview and health check of all the applications running on their platform. After evaluating over 20 vendors against their criteria, they realized they’d require mature platforms like AWS, Openshift and Snyk to build and develop the Helvetia Container platform.

Snyk was the solution that best fit their addressed needs, particularly with regards to lifecycle management and license management.  Additionally, the Helvetia team found Snyk would be able to meet their key dependencies like support for Java/Maven, Typescript/NPM, Python and .NET.  For developers they wanted a tool which they simply could use via a CLI and an integration in their IDE tool IntelliJ.  Also important was the Bitbucket Server integration to scan repositories directly from Bitbucket.  Ultimately the whole CI/CD integration was key to test each build and inform them when any of their internal requirements were being violated.

Moreover, Snyk’s pricing model allowed Helvetia to start small based on their number of users and scale over time.  This was important since it accommodated their incremental shift to cloud so that as Helvetia grew, Snyk could grow with them.

The Impact

Since implementing Snyk, the team can automatically detect lifecycle issues on their own written software and use Snyk reporting to check for certain dependencies.  They’re also able to put used dependencies on a higher level of abstraction into their lifecycle management tool, LeanIX. This enables them to track usage of dependencies and identify end-of-life issues.

Their CTO requires that they complete a security test before an audit and while this can uncover a lot of findings, it also takes time to manage.  But the low hanging fruit is now taken care of with Snyk and they can prioritize pen tests and audits for critical applications.

The Helvetia team now has transparency into the health of their applications and their development teams have the tools to better evaluate which third party components they’re using in their applications.  This has enabled a continuous security approach.  In Björn’s words,

“We need to have quality assurance during development which Snyk helped us achieve.  We couldn’t have made it this far without a tool like Snyk.”

Red Hat OpenShift Integration with Snyk

Currently the team uses the Snyk Container / OpenShift integration to scan running container workloads and is working on defining architecture of applications running on OpenShift.

Since the team at Helvetia doesn’t have any cloud experience in AWS or Azure, they sought out a platform to inform them what their cloud provider is doing and how they are performing. They didn’t want vendor lock with their cloud provider and as Björn has said “Openshift provides this for us.  We don’t have a lot of experience with containers and Openshift allows us to manage containers and security build-in which is really important for us as an enterprise.” 

Openshift is one of the container runtimes that allows the team not to have to build themselves.  In addition, Openshift provides a lot of benefits to optimize the developer experience. They can hide or extract some underlying cloud details from the cloudshift interface and not have to worry about what’s under the hood.  This has alleviated any worry about libraries and databases and provided developers more transparency.

/about/ Helvetia

Background:

Helvetia Insurance is a top three, all lines insurance company based in St. Gallen, Switzerland, offering a wide variety of products across multiple brands.  Over the last several years, they have seen a number of mergers and acquisitions which have added to the complexity of their IT environment and resulted in the adoption of and requirement for new applications to support the business.  Part of this activity prompted a move to cloud and with it, a new way of managing security.

The Team

Björn Fisher, Software Engineer is part of the Frontend Solutions Technology team tasked with looking for new ways to develop, run and provide software solutions for customers of Helvetia, ensuring a great user experience.  Their stakeholders include: 

  • Information Security whose priority is to "detect before protect."

  • Developers from different business units who need to create software and who look for new services they can use within their software to bring a better user experience to their customers

  • Lifecycle management, now focusing on their new platform

  • Their CTO whose requirements for the platform include cost savings, audit needs, vulnerability scans, and licensing

  • Their Cyber Defense Center who is a consumer of their data