What is our primary use case?
How has it helped my organization?
It gives us a uniform way to access the vulnerability information across a wide range of projects, teams, and structures. Once there were teams in Snyk, I was able to move people around if they wanted to see other projects or had questions about how other teams were doing things. Instead of having to tell a team, "Oh, you're using this language so you have to use this tool," or, "You're using this language so you have to do it this way or that way," all the reports are uniform, which makes viewing everything a lot easier than piecing things together.
Snyk reduces the amount of time it takes our guys to find problems. It's tough to estimate how much it has reduced the time because we didn't really have a process before to aggregate as much information on as wide a range of projects as we do now. We don't really have a great basis for comparison. But judging from the fact that we didn't do any of this before and teams were pretty blind about the health of their dependencies and versions, this has not only been a time saver, but the biggest win is enlightenment and ease of use to actually be able to get this information in the first place.
As far as the amount of time it takes to triage vulnerabilities and go through the upgrade process, it's definitely more streamlined, overall.
An example of the way it has affected the overall security of our applications is from during one of the first weeks that we rolled it out with one of our projects. We went from 15 vulnerabilities in it to four or five, and those four or five were un-upgradable and we were not affected by them. That means we were able to knock out any vulnerabilities in that project right away, which was a few quick wins for us, compared to who knows how long all of those had been in the project. We hadn't really known that until we turned Snyk onto the project and then we solved those within a week.
What is most valuable?
The most valuable features are their GitLab and JIRA integrations.
The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up.
Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using. Snyk is something of a bridge that we use; we get our projects into it and then get the information out of it. Those two integrations are crucial for us to be able to do that pretty simply.
The ease of use for developers, on a scale of one to 10, is about an eight. The main feature of the reporting on the vulnerabilities and the information that you get from that are really easy to go through and use and interact with, whether it's pushing it to JIRA or ignoring certain vulnerabilities if you're not at risk. There are a couple of parts that, once you get into the settings a little bit more, are a little confusing and tricky. That's why it's not a nine or a 10, but the main features are pretty well done and easy to use.
The solution's ability to help developers find and fix vulnerabilities is pretty fast. The scanning for all of our various code bases could probably be done in under five minutes. It gives pretty clear information to developers, right away, about what we are vulnerable to and what we will be vulnerable to. Even if a fix or a patch is not out yet for a certain vulnerability, it will still give us that information. It also tells us what versioning, specifically, we need to upgrade to, which helps us determine the best upgrade path for ourselves, because sometimes our projects that are a little bit restricted as far as versioning goes.
What needs improvement?
Because Snyk has so many integrations and so many things it can do, it's hard to really understand all of them and to get that information to each team that needs it. Since I was the one who originally set up Snyk, I have been in charge of evangelizing all the features of it, but that's almost a full-time job, and that's not my entire job. I haven't been able to get all of that information out quite as well as it could be. If there were more self-service, perhaps tutorials or overviews for new teams or developers, so that they could click through and see things themselves, that would help.
There is so much in there already that it's easy to get a little bit lost, but thankfully they also have great documentation on pretty much all of the features and plugins, to understand them. So it can be up to the person, depending on how much of a self-starter they are, to see an integration and then go poke around and figure out how to get things working.
For how long have I used the solution?
I have been using Snyk for about a year.
What do I think about the stability of the solution?
In terms of downtime there have been some road bumps with version upgrades and things, but otherwise it's pretty much a self-running service, and the day-to-day maintenance is pretty low.
The solution itself is really well done. We know that being on-prem is a little bit tougher because the roll-out cycle is a little slower. They're actively investigating ways around that, including having us beta their AWS Snyk on our AWS account. That would remedy our upgrade issues, where the upgrades are only happening about once a month, versus their SaaS offering, which has continuous updates.
Once we've upgraded, we've been fine, but the upgrade path itself has been a little bumpy. But they've got solutions that they're working on to meet customers halfway between that on-prem solution and the SaaS offering, which is definitely something that is nice to see. It's also good to see that they're working on what they know are some of the pain points in their product.
What do I think about the scalability of the solution?
We haven't had any issues as far as scalability goes. That hasn't even actually crossed my mind, as far as worrying about any sort of limits that we might have. Maybe we'll get there one day, but at the moment that's something that seems somewhat far off. Understanding the way they built the product too, especially the on-prem, we would probably be able to scale things if we really needed to.
At the moment we have about 50 users in the tool itself, users who go in and look at results. But we have about another 100 or 150 who have their code actually scanned by Snyk, whether they know it or not, through our main application. Some of the GitLab applications have developers on the projects, but it could be that only their leads are in the Snyk tool at the moment.
Out of our total number of teams, about 60 to 70 percent are in Snyk at the moment. As time allows, and as the projects come up and the need arises, we plan to roll it out. There are some teams that don't have projects that would fall under Snyk's abilities at the moment, but there are still a couple of other teams that could definitely be added.
How are customer service and technical support?
They've been willing to help at every step of the way. I've been able to work directly with the engineers who actually built the tool. It's not like I'm going through some customer support team first and then having to open a case and raise it up through levels of support. I have a clear channel to the developers who built these plugins and integrations and who know how they work. They also have other tools that they've created on the side, tools that they see a lot of customers creating themselves. It's been helpful to get that extra help across the board, for whatever needs we have.
Which solution did I use previously and why did I switch?
We didn't have a direct previous solution. We did have a SAST tool that we had been using a lot across our main repositories. But we didn't have anything that would cover a lot of the other teams' languages and dependencies. This is the first big tool that we've introduced for scanning.
We went with Snyk because of the wide range of integrations and ease of use. Those were a couple of the big points, and the fact that they offered an on-prem solution.
How was the initial setup?
Because we were doing the on-prem version, it was a little bit more complex than it could have been. I was also a little bit new to some of the technologies that were used to set it up, so I was learning as I went.
When we initially got it up and running, it took another developer about a week to do that, maybe less. Once he trialed things and we signed our contract, he turned it over to me and that took a day and a half.
Our initial goal, once we got Snyk up and running, was to get it scanning our main repository, but not to block developers on vulnerabilities that were found. We came up with a solution that only dependencies that the developer had changed or touched in their commit would be scanned. That allowed us to focus in on having each developer own their changes, instead of blocking everyone due to any sort of vulnerability that came up in the project. Those were our immediate goals, and since then we've been expanding on things.
As for developer adoption, we've been spreading it out to more and more teams. As each team has gotten familiar with it, they've gotten around to other teams by word of mouth, using certain features. Right now, we have six different teams, and each team has anywhere from one to four projects in Snyk. We've been seeing pretty steady growth too. As new projects come up they're put in there right away so that developers know, right off the bat, if they have any issues or vulnerabilities in those projects.
The biggest point of friction was when we initially announced that we were going to block developers on vulnerable dependencies. The understanding was that we were going to block everyone on any sort of dependency change that had a vulnerability. But our very narrow focus on each developer's changes, specifically, allowed us to scope that down to the single developer that would be responsible for those upgrades, so that we wouldn't introduce new vulnerabilities in the first place. That was the biggest point of concern but we were able to remedy it and had a good story for it right away.
Since then, people have come to me and said, "How can I get this into Snyk?" and we've been able to work with the various teams. People have gone from fearing a tool of this nature to being able to use it to strengthen the security posture of their projects.
What about the implementation team?
Snyk helped us set it up, especially initially, and along the way too, as we've had questions.
What was our ROI?
Regarding time to value of the solution in our company, in our case we had to set up a couple of IP table rules that would allow Snyk to talk to the other infrastructure that we needed it to talk to. Once we had those things cleared up, getting the full use out of Snyk was super-quick, when it came to getting a project in there, scanning it, and getting the results back into something like JIRA for developers to more easily use going forward, and for monitoring their projects.
Which other solutions did I evaluate?
We used a couple of other tools, especially initially, to assess what we were going to go with. It seems that Snyk has not been deficient in any way in terms of the comprehensiveness and accuracy of the vulnerability database. It supports a wide range of languages as well. There's always information, it seems, on whatever language you would like, and our main ones are well supported. I don't feel that we're missing any vulnerability information there. I've never once thought, "Oh, I should go double-check this because Snyk might not have it." I haven't come across that situation.
What other advice do I have?
Focus initially on setting up a clear path for developers to integrate with the tool. Initially, most developers are not super excited about security tools and scanning in the first place; very few people are. So working on the developer adoption, and showing them what features are available and how that can directly benefit their projects, without their feeling like they have a lot of work to do, would be something that I would suggest for new teams.
The biggest lesson I have learned from using Snyk is that just when you think there are all the integrations offered in the world, there's another one. There was someone on our team that asked about an integration that they saw Snyk was offering, but it was only in their SaaS product at that time. The following month we got it in our product. They're coming out with new integrations all the time and improving the existing ones. Those are super helpful for meeting the wide range of needs across our many different teams here.
We have it running in our main repositories. We have Snyk continuously running there and scanning every commit that developers issue. We also allow developers to run the tool whenever they would like as well, on their other projects, or just to mess around with it, to get a better feel for it. We use things like TeamCity for our pipeline so we use a lot of Snyk's CLI scanning features to integrate with our tools, because some of our code bases have a little bit of a custom dependency setup. That means we have to do a couple of extra steps to get those to integrate smoothly.
Because of our custom workflows, there has been a little bit more manual work. Snyk has a lot of plugins, including a TeamCity plugin, that would be really nice to use out-of-the-box, but because of our more custom setup, we have had to do a little bit more manual work. The nice thing is that Snyk does allow us to still do that. It's not like we can only use exactly what they offer and that's it. Between their plugins and using the CLI, we're able to integrate in pretty much any environment we need.
I haven't gone through it to specifically look for false positives. Sometimes it will say there's a vulnerability and we turn out not to use that function or not to use that particular piece of that dependency.
Unfortunately, most of the containers we have scanned it against, and the ones that we use, are running an older operating system. Because the operating system is no longer actively supported, there are a lot of packages that need upgrades that we can't upgrade because we're blocked on the operating system upgrade itself. In that regard, we don't have too many actionable items from those scans. It does give us the information we need to understand how to prioritize the upgrade itself, versus upgrading the various vulnerabilities that came out of that scan.
When we have used it against some other containers, just to check as more of a one-off, it has come back with useful results. Recently there was one that had four results, and the team I was working with scanned it against multiple other tools as well, tools that they were looking at, and they all reported pretty similar things. That was good news to hear for Snyk, that we were right there and detecting everything correctly and had the same useful output.
Snyk's container security feature allows developers to own security for the applications and the containers they run in the cloud. We've been a little slow to get that fully integrated with all of our teams. We've mostly focused on our main application at the moment and I've had limited bandwidth to expand past that. But in general, both the container scanning as well as the other features of Snyk allow our teams to own their own security a little bit more, by the nature of the use of the tool and how easy it is to scan new projects or new container images. There's really nothing blocking our teams from discovering that on their own. I just haven't been able to get around to evangelizing all of the features of Snyk.
As for Snyk's lack of SAST and DAST versus the solution’s ease of use for developers, fortunately for us, we have other tools that cover those aspects and we've had those running for a while already, so we haven't really thought of those areas as lacking in Snyk. For us, it's really just been a tool that has been easy to use the whole time. If we were able to integrate more of the SAST portion especially, that would make the whole process a little bit more streamlined and potentially easier to work with. But at the moment, thankfully, we have a couple of workflows already set up for those various needs, things that really compliment each other well.
Which deployment model are you using for this solution?