Fixing Vulnerabilities Early in Development
with Highly Accurate Scanning

Highlights

  • Software development lifecycle with security integrated into the developer workflow to accelerate time to remediation.
  • Highly accurate scanning Snyk replaced an existing solution that had many false positives.
  • Guaranteed SLA compliance to meet customer service level agreements for time to remediation for bug fixes.
  • Peace of mind with routine scans for deployed container images.

The Challenge: accelerate and scale an arduous security process

FormHero’s customers operate in regulated industries that have high security compliance requirements and require proper security accreditation, including SOC 2 for customer data stored in the cloud.

FormHero has a team that is building software for customers and needs to do so in a secure manner with software libraries and dependencies free from as many vulnerabilities as possible.

The company uses JavaScript and the Angular framework on the front-end with Node.js backend services. FormHero’s platform has a microservices architecture deployed through Docker containers and runs on the AWS Elastic Container Service (ECS). FormHero doesn’t persist any customer data, so data lives on customers’ premises and not in the FormHero SaaS platform.

With one full-time security person paired with a 10-person development team, FormHero is eager to address application and container security as early as possible.

“In a lot of cases we’re replacing an existing paper solution that is really error prone with a digital experience that’s a lot easier to use for an employee or for a customer”

The Solution: security adopted early for faster time to remediation

While security issues can be fixed after developers have written code, resolving vulnerabilities earlier as part of the DevSecOps pipeline and integrated into the developer workflow is easier, faster and more economical. Kimber observed that if a developer has to fix an issue weeks after they wrote the code, it also takes more time to get into the right headspace to fix the issue.

“A big part of our focus during the software development lifecycle is managing dependencies and making sure there aren’t any vulnerabilities in our Docker containers”

FormHero looked at a number of alternative solutions, but overall Kimber noted that their support for JavaScript and particularly Node.js was weak. Snyk for Open Source is light years ahead of the others with Node.js and JavaScript libraries, according to Kimber.

By using Snyk Open Source, FormHero is able to prove to its customers that it is using a best-of-breed software composition analysis solution to help secure application development.

“If you aren’t addressing problems during the developer workflow and you’re finding them and dealing with them in QA, it will take you 10 times longer to fix. That’s where Snyk comes in.”

The company also uses Alert Logic to secure its AWS environment and tools like AWS GuardDuty to identify threats by continuously monitoring the network activity and account behavior within the AWS environment.

“With something labeled a critical bug, our customers must be notified within 24 hours with a fix delivered within 48 hours”

The Impact: accuracy and fewer false positives

Kimber noted that one of his clients initially made FormHero run its code through a different solution, which he referred to as “particularly painful” as there were so many false positives.

With Snyk the incidence of false positives was dramatically reduced providing higher accuracy and efficacy for security operations.

Meeting Service Level Agreements (SLAs)

FormHero’s contracts all have SLAs for how quickly bugs are fixed and Snyk lets the company stay on top of this.

“Snyk’s license management is really, really great and it wasn’t something really even on my radar when we were first looking at SCA solutions, but it certainly makes it a lot easier.”

Compliance for container scanning

FormHero also uses Snyk Container to routinely scan deployed images to help identify any issues and ensure compliance.

FormHero routinely scans deployed images against its AWS ECS repo to check for dependencies and vulnerabilities in those images. They tend not to have a lot of issues, but Kimber said it’s good having Snyk scanning images so his team knows if there are vulnerabilities.

Powerful license management

Beyond the security benefits, Snyk also has license management capabilities that FormHero uses to help make sure that software licenses are being honored.

“Our developers will grumble when they can’t commit something because the Snyk scan failed, but the effort is so much less than if they were trying to fix all of the libraries during the QA process,” he said. “It’s also so much faster and it forces us to be up to date all the time, which is wonderful.”

Maximum security with minimal interruptions

FormHero has been able to improve developer workflow and overall security with Snyk. In Kimber’s view, Snyk is a great solution that doesn’t interrupt developers.

“FormHero also uses Snyk Container to routinely scan deployed images to help identify any issues and ensure compliance.”