Skip to main content

Security success in the Bay Area with Slack

feature-snyk-slack

2023年5月17日

0 分で読めます

Application security is constantly evolving — and there’s no better place to observe these changes than in the Bay Area. Silicon Valley is home to thousands of companies attempting to solve a multitude of problems, but one thing they all have in common is the often daunting task of risk mitigation.

In a panel hosted by Snyk, we discussed the ins and outs of building an application security program, and how Snyk has helped simplify the process, with David Aghassi and Atul Gaikwad. As Staff Software Engineer of Security at Slack, Atul led the rollout of Snyk for Slack’s development and security teams, and shared his first hand experience with attendees. The contrast of David’s extensive development experience and Atul’s security knowledge made for an enlightening panel on what success in application security truly means.

First steps

For both David and Atul, integrating application security begins with acknowledging your current problems and establishing communication between development and security teams. Developers can’t solve a problem unless they know about it and have access to the proper tools and training. So, the first step is getting a tool into the developer’s hands that help them understand why some coding practices negatively affect an application’s security posture.  David added:

“The story changed from hunting people down to drawing a line in the sand and accepting that we have these problems while preventing new problems from appearing.”

Once you have the lay of the land, security teams should take stock of how the current tool is working and identify opportunities for improvement. Atul and the Slack team began with a homegrown security tool before adopting another commercial tool that handled licensing in addition to AppSec. However, that tool’s limited reach and lack of integrations and plugins that helped developers find and prioritize vulnerabilities meant that an upgrade was quickly necessary.  That’s when they chose to use Snyk.

Success with Snyk

Of the many benefits of Snyk, our focus on prioritization, automation, and customization made the biggest difference for our speakers. Snyk’s Priority Scoring, which scales the severity of an issue from 0 to 1000 and provides helpful metadata, allowed the team at Slack to focus on the most important issues first, while the Snyk CLI empowered developers to scan their code as often as they needed without help from the security team.  According to Atul:

“Snyk CLI options allow developers to run scans at their pace and time, reducing the overload for us (the security team).”

Giving developers the right tools is critical, but given how much is on their plates, automation is often the key to sustainable security practices. Atul led his team in creating a system that pulls vulnerability info from Snyk and creates Jira tickets that give developers context on the issue and how to fix it. Additionally, the Snyk API allows their security team to pull down the most secure version of each package and provide it as a TLDR section in the ticket. This drastically improved efficiency by reducing issue volume and messages to the Slack support channel from developers asking how to fix an issue. Atul elaborated:

“We run Snyk in two ways, one is the daily scan against critical repositories and the other is our pipeline, which allows us to identify critical issues before they reach production.”

From the development side of the house, Snyk empowers developers to prioritize vulnerabilities internally and upgrade without fear of breaking something vital. As David said, “The easier it is for your developers to revert a change and not have that change go to production, the more comfortable they can feel trying things during development.”

AppSec trends

The final topic of our panel discussion was where David and Atul see application security going and what trends were likely to drive the field. One major point was that the cycle of separate, silo-ed development and security teams is broken. As having a full understanding of your application stack grows in importance, knowing how security fits into each stage as well as the stack overall is vital. In practice, this means that developers must feel comfortable and assured that a single part of their application is secure — and also not interfering with anything else. For developers like David, “having Snyk in that developer lifecycle removes one more thing for us to have to worry about.”  Atul added:

“Improving security throughout the development lifecycle has become more important than ever before.”

Production security is critical when developers are using and changing code everyday, but security teams can’t scale like development teams. To ensure that every part of the SDLC is covered, security teams must trust their engineers and empower them with processes and tooling that fits into their work style.  Atul concluded:

“Who knows the code better than the developers that write it? They know their attack surface better than security.”

Succeeding in AppSec

An approach centered around communication, empathy, and trust is the best path forward for security & development teams. Change can be difficult, but embracing new tools and techniques is an integral part of staying on the cutting edge — and developer-centric platforms like Snyk are there to support you every step of the way.