Skip to main content

How Axel Springer National Media and Tech achieved continuous security with Snyk

Written by:
feature-customer-axel-springer

September 3, 2024

0 mins read

At this year’s AWS Summit in Berlin, the Snyk team had the opportunity to speak with Snyk customer Michael Steiner, CISO for Axel Springer National Media and Tech. Their conversation touched on our partnership with Steiner’s team, including their decision to use Snyk following Log4Shell, the implementation of Snyk Code and Snyk Open Source into existing development processes, and the specific outcomes that the team measures today. Read on to learn more about Axel Springer’s shift-left security journey. 

Overview of Axel Springer National Media and Tech

Axel Springer is a leading digital publisher in Europe. Its National Media and Tech business unit offers tech services and digital products for newspapers and other media brands. Over 600 brands use Axel Springer’s digital journalism solutions, with over 3 million unique users leveraging its digital products and applications. 

The Axel Springer team has implemented a flat team organizational structure, assigning the development teams shared responsibility for quality assurance, IT, and security. They believe that because the developers are closest to their own products, they will know the best ways to integrate these steps seamlessly. As part of this flat model, Axel Springer’s developers primarily run their own infrastructure as code (IaC) on AWS.

“We don’t have a big security team or SOC,” Steiner explained. “We believe that developers can do this job. The idea is to have tools in place that help the developers fix vulnerabilities as early and as efficiently as possible and also support automated processes.”

The challenge of inconsistent security processes and tooling

Prior to implementing Snyk, Axel Springer did not have a consistent, company-wide process for finding and fixing vulnerabilities in code. The team used some open source AppSec tools, such as SonarCloud, but did not roll out this tooling to the entire company. Plus, this approach only brought static code analysis to some teams, missing other important aspects of the organization’s app development structure, such as IaC, open source, and containers.

In addition, Axel Springer’s team had no end-to-end visibility of their applications, making it challenging for teams to understand which vulnerabilities their repositories contained. The development teams also drove all security processes manually, which took lots of time and effort. For example, they responded to Log4Shell by manually compiling data usage across the organization into a spreadsheet and then taking remediation actions based on their findings.

“We had no real process, at least not over the whole company… We also had no visibility into the vulnerabilities. Even the teams themselves did not know how many vulnerabilities they had across their repositories.”

- Michael Steiner, CISO, Head of Competence Center Quality and IT Security, Axel Springer

Shifting left with Snyk Code and Snyk Open Source

While most of the teams across Axel Springer National Media and Tech used manual processes to find instances of the Log4Shell vulnerability, one team was running a proof of concept (POC) with Snyk. This specific team saw Snyk in action, as they quickly identified Log4Shell usage across their repositories and took action in a fraction of the time. 

According to Steiner, “With the Snyk [POC], it was quite easy to find out where this team was impacted by the vulnerability. That was our use case to show to management and say, ‘We need to have these kinds of tools to have this transparency — especially when a vulnerability comes up.’”

After this incident, the Axel Springer team implemented Snyk Code and Snyk Open Source, equipping its developers to find and fix vulnerabilities as early in the pipeline as possible.

“We’re using Snyk Code and Snyk Open Source currently, over 700 repos actually… and 300 developers using these tools. So we have the implementation in the IDEs, we have the implementation in the pipelines, the integrations with Jira, and a lot of automation done, all thanks to Snyk.”

- Michael Steiner, CISO, Head of Competence Center Quality and IT Security, Axel Springer

The Snyk team integrated alongside Axel Springer’s entire software development lifecycle with the following steps:

  • Scanning from within the integrated development environment (IDE) and offering fixes at pull request

  • Scanning within the CI/CD pipeline with a command line interface (CLI) scanner

  • Synchronizing all existing repositories with Snyk to identify vulnerabilities later in the pipeline and alert the responsible teams

  • Identifying vulnerabilities in production (e.g., zero-day vulns, novel threats)

Axel Springer’s full security transparency

Today, the Axel Springer National Media and Tech team has over 90% security scan coverage of its relevant repositories. Thanks to this high level of security coverage, the team now has complete transparency into its existing code and open source vulnerabilities and can continuously fix new vulnerabilities throughout the SDLC. 

Steiner said, “Now, we have this transparency and can motivate teams to implement processes that fix vulnerabilities continuously. That’s important because if you look at vulnerabilities once in a while, that's not enough. This transparency also helps us bring these topics up to management. Having this transparency, I think, is the most important value we see, and Snyk provides that.”

Moving forward, the team hopes to use Snyk Open Source’s licensing compliance features more frequently, which will help them decide which products or repositories to sell to other companies based on these prospective customers’ licensing requirements.

In addition, the team will move towards a more risk-based approach in the future. They aim to start labeling projects by business criticality and prioritizing vulnerabilities based on a risk score that accurately ranks potential impact on the organization. This will allow them to prioritize the fixes that matter most, depending on the exact location of each vulnerability. They plan to adopt Snyk AppRisk to support these initiatives.