How we secure our SDLC process with Snyk at OY! Indonesia
In the rapidly evolving digital landscape, security is of utmost importance, particularly for fintech companies like OY! Indonesia. The financial transactions, sensitive user data, and proprietary algorithms they handle make them prime targets for cybercriminals seeking to exploit any weaknesses in their code. Code-related security issues, if left undetected, can lead to data breaches, financial losses, reputational damage, and regulatory non-compliance. This article examines how OY! Indonesia addresses these security challenges through the adoption of Snyk to enhance its overall security posture.
Leveraging Snyk for Enhanced Security at OY! Indonesia
OY! Indonesia has embraced Snyk as one of its security strategies. Snyk offers distinct advantages over self-managed solutions, like SonarQube, by streamlining security efforts in OY! Indonesia. With Snyk, the operational burden of maintaining the security stack is significantly reduced, allowing teams to offload infrastructure management and focus more on rapid vulnerability remediation.
To proactively identify and address vulnerabilities, we perform static code analysis on our code repositories using Snyk’s Static Code Analyzer. This scheduled analysis provides timely feedback to developers on potential security issues, allowing for effective prioritization of remediation efforts. To ensure that no vulnerability goes unnoticed, we implemented a reminder system, alerting engineers every time a new report is available. This approach fosters a proactive and consistent focus on code security throughout the development lifecycle.
Furthermore, given that a significant portion of OY! Indonesia’s workload operates within a containerized environment, securing Docker images becomes a top priority. To address this, we utilize Snyk’s Docker Image Scanner to assess the security posture of container images.
Run a Security Incident Response Team
OY! Indonesia has implemented a vulnerability ticketing system to streamline and prioritize the vulnerability remediation process. The vulnerability ticketing and reporting follow these key steps:
- Initial Review of Security Findings:
The security team at OY! Indonesia initiates the vulnerability management process by reviewing the comprehensive security findings generated by Snyk. These findings encompass code-related vulnerabilities detected during static code analysis and potential risks identified in Docker images through the Docker Image Scanner.
2. Ticket Assignment:
After a thorough review, the security team assigns individual tickets to the relevant teams or code owners responsible for the affected codebase. Since the context of most findings lies within the scope of specific teams, this approach ensures accountability and targeted remediation efforts. Each ticket includes a summary of the vulnerability and its corresponding severity level, providing clarity to the assigned teams.
3. Further Review and Validity Check:
Upon receiving their respective tickets, the assigned teams or code owners proceed to conduct a deeper investigation into the identified vulnerabilities. They assess the validity of each finding, verifying whether it indeed poses a security risk or is a false positive. If the findings are deemed valid, the team acknowledges the issue and commences the remediation process. In case a finding is found to be invalid, the related team promptly marks it as such and informs the resolution back to the security team.
To ensure that vulnerabilities are addressed promptly, OY! Indonesia establishes distinct Service Level Agreements (SLAs) based on the severity of each vulnerability. These SLAs guide the remediation efforts and set specific timeframes for resolution.
- Medium and Low Severity: For vulnerabilities categorized as medium or low severity, the assigned teams have the flexibility to include the remediation process as part of their backlog. Remediation efforts are prioritized and addressed based on resource allocation within each team.
- Critical and High Severity: For vulnerabilities categorized as critical and high severity, immediate action is mandatory. The assigned teams must prioritize the remediation process and ensure that the issue is resolved within the defined SLA.
Impact on OY! Indonesia’s Overall Security Posture
By integrating Snyk and the vulnerability ticketing system into their development workflow, we have witnessed several positive outcomes that enhance its overall security posture:
- Following Security Best Practices: Snyk’s Static Code Analyzer nudges developers towards adhering to security best practices (OWASP Top 10, SANS 25, and CWE) during the development process. As a result, the code produced is more resilient to potential attacks, reducing the overall attack surface.
- Spotting Insecure and Deprecated Code: The continuous monitoring of dependencies and container images by Snyk enables OY! Indonesia to identify and eliminate insecure and deprecated code. This proactive approach helps prevent potential security incidents and ensures a more secure application ecosystem.
- Timely Vulnerability Remediation: The vulnerability ticketing system, coupled with defined SLAs, facilitates prompt attention to critical vulnerabilities. This approach ensures that potential risks are mitigated swiftly, minimizing the window of exposure to threats.
Conclusion
OY! Indonesia’s commitment to security is evident through its adoption of Snyk and the implementation of a vulnerability ticketing system. By prioritizing code-related security and leveraging Snyk’s powerful features, OY! Indonesia has fortified its security framework and minimized the risk of potential security breaches. As the fintech landscape continues to evolve, OY! Indonesia remains dedicated to upholding the highest standards of security, safeguarding its applications and data, and maintaining the trust placed in the company by its customers and stakeholders.
