The challenge: keeping security in step with company growth
Pomelo is a fintech organization offering card and digital account solutions for crypto, instant funding, and collateralized credit card options for their customers. Because they deal with so much sensitive data, the Pomelo team knew they needed to prioritize cybersecurity from day one.
Pomelo’s platform solutions team chose to lean on native tools that already existed within their software development lifecycle (SDLC) on AWS. They relied on Github, their code hosting platform, and CircleCI, their continuous integration tool, to facilitate security controls such as secrets detection, SAST and SCA analysis, IaC Scans, and Base Image Scans. The Pomelo team relied on a custom-built CircleCI orb, a type of YAML package that condenses repeated configurations into a single line of code. They used several open source tools in different languages to create this security orb. But as Pomelo grew, this custom-built security orb couldn’t keep up.
“Multiple tools, created in multiple languages, gave outputs like JSON, SARIF, and YAML, among others. Each extension had its own format with nested labels, etc. Moreover, when the number of repositories grew, the false positives detected also increased. So the data became increasingly unmanageable.” - Leandro Sanginetto Technical Expert Engineer, Pomelo
This variety of languages also made it challenging to gain a big-picture view of the entire security program, as they required the team to switch contexts between different languages. Without the right level of visibility, it was difficult to generate audit reports—a massive issue in a heavily regulated industry.
The solution: Snyk’s application security platform
The Pomelo team sought a solution that would solve all of these issues. They wanted to increase visibility and scalability while also decreasing false positives. In addition, the team wanted to find a security solution that the developers could use easily in building and running their applications in their AWS environment.
“We understood that even if we acquired the best security tool in the world, if we could not give visibility and involve the engineering teams directly, the implementation would fail. We wanted a platform that, in addition to covering all our security standards, could be easily used by our developers. The tool we selected needed to be part of the SDLC in a developer-led way.” - Nicolas Gomez Senior Application Security Engineer, Pomelo
They turned to Snyk’s application security solution because of its usability, low number of false positives, and built-in support. The Pomelo team particularly liked the auto-fix pull request feature and the integrations for their existing tools (Jira, Slack, Github, CircleCI, etc.).
Pomelo & Snyk’s partnership
When they started with Snyk, the Pomelo team set two goals:
Covering all ~900 repositories with Snyk
Granting Snyk platform access to all development teams (~200 developers)
In less than a month, Pomelo and Snyk met both of these goals and rolled out security training for managers and engineers.
“The integrations and the API this solution provides help us to make all these [security issues] more visible for everyone, from the developers to the managers to the C-level. Also, it gives the development teams more independence to go into Snyk and see what they have to work with. With Snyk, they can do more by themselves.” - Leandro Sanginetto Technical Expert Engineer, Pomelo
Simplifying procurement on AWS Marketplace
In order to streamline procurement processes, the team at Pomelo leveraged their existing billing mechanisms with AWS to purchase Snyk software, allowing them to consolidate invoicing and accelerate time-to-value in purchasing and implementing the Snyk solution.
If you’d like to try Snyk’s developer-first security platform, you can also sign up for a free Snyk account directly from the AWS Marketplace.
The impact: a scalable security program ready to grow with Pomelo
Now that the Pomelo team has implemented Snyk’s application security platform, they have full coverage of their applications, from code to production. The team has resolved 9,500 issues since implementing Snyk. This total breaks down to 2,150 Highs and 200 Criticals, with 100 containing mature exploits.
In addition, the team has implemented several integrations to build an end-to-end security program that works for them. For instance, they set up a Snyk-Slack integration, which alerts their teams whenever they need to fix an issue.
“The most important thing for us is that you can manage the security test findings data from one place. If you want to scan something in GoSec, you can do it…if you need to scan something in Python, you can also do it. You can retrieve all that information in one place with one call. That was the painful thing that we were fighting with before Snyk.” - Leandro Sanginetto Technical Expert Engineer, Pomelo
To learn more about Snyk and Pomelo’s partnership, tune into a conversation with Leandro and Nicolas on DevOps TV.
