DigitalOcean, a cloud platform provider for developers, has selected Snyk’s “developer-first” security solution for addressing vulnerabilities in open source libraries. Snyk is successfully integrated with DigitalOcean’s cloud platform and notifies the company of two significant vulnerabilities in Nokogiri. This would allow DigitalOcean to fix both in under 24 hours.
Prior to engaging with Snyk, keeping up to date with the latest dependencies and vulnerabilities was carried out by DigitalOcean’s individual technical leads on each of their projects. DigitalOcean needed a timely and pragmatic response to vulnerabilities in their third-party dependencies.
“Supply-chain vulnerabilities constitute some of the most preventable vulnerabilities, and are also the most costly in terms of company reputation and blast radius of affected systems,” said Tom Czarniecki, Tech Lead and Architect of Application Security of DigitalOcean. “You need to continuously scan for vulnerabilities, and mitigate found vulnerabilities, in your operating systems, applications and libraries.”
Newer Nokogiri Version
Following notification by Snyk and DigitalOcean’s internal impact analysis, DigitalOcean found that the vulnerabilities exposed were in-line for most of their request processing so it became critical to upgrade the version of Nokogiri that was used in their front-door applications. “Such a quick turnaround could not have happened when monitoring for vulnerable dependencies without Snyk,” added Mr. Czarniecki.
Over the course of a single workday, DigitalOcean was able to upgrade multiple services and internal libraries to a newer and “safer” Nokogiri version, rolling them out to its pre-production and, following verification, production environments. Prior to using Snyk, the process of finding and fixing vulnerabilities would have taken much longer, which meant DigitalOcean was previously susceptible to being exploited for greater lengths of time.
“Snyk simplified the non-trivial task of scanning for vulnerabilities in DigitalOcean’s third-party libraries allowing the DigitalOcean application security team to focus their efforts on scanning for vulnerabilities in the code and applications that are continuously produced by their development teams,” said Guy Podjarny, CEO of Snyk.