Spotify Taps Snyk for Security Testing Automation
Due to an increasing number of cyberattacks, music streaming service Spotify has incorporated Snyk security software into its software development lifecycle to automate security testing. The increased security measures help prevent vulnerabilities and flows in applications and software assets.
With the prevalence of these attacks taking place throughout all phases of the software development lifecycle, from design through delivery, security measures must also exist in those stages as well. Edina Muminovic, Spotify engineering manager, wrote a recent blog post that explains some of Spotify’s new cybersecurity measures.
Forbes published an article in June of this year that went into great detail on recent cyberattack stats:
- The average number of cyberattacks and data breaches increased by 15.1% in 2021 from the previous year.
- Anchore recently published a survey showing three in five companies were targeted by software supply chain attacks in 2021.
- 82% of CIOs believe their software supply chains are vulnerable.
Spotify is a massive application. It consumes huge quantities of libraries, service applications, and infrastructure — all of which are vulnerable to supply chain attacks. Muminovic wrote that Spotify, “wants to be sure that we can trust the software source and, in turn, remain a software supplier that won’t deliver malicious software to our customers.”
It’s no surprise that the Spotify security team’s main goal is, “to prevent attacks that can target any phase of the software development life cycle,” when designing their cybersecurity program. They focused on two key areas when categorizing security testing in the software development life cycle.
- Cover Spotify’s wide variety of languages and package managers.
- Have a solution flexible enough to integrate into the existing CI/CD.
Spotify Security Automation and Snyk
Spotify uses reactive controls. These are a collection of tools that scan their applications and report any vulnerabilities. The Snyk platform is part of that collection. Snyk is integrated into Spotify’s build pipeline and scans for vulnerabilities in new builds. The new integration was rolled out in phases with the first two phases being perimeter services and services with access to sensitive data.
Snyk’s developer security platform was designed for securing code, dependencies, containers, and infrastructure. The software tests for vulnerabilities and offers content, prioritization, and remediation. Snyk uses a research team as well as machine learning to help safeguard against cyberattacks.
Security testing automation was important for two reasons. Automatic testing provides an additional layer of security strength in the program and keeps assets and components healthy and up to date. This helped Spotify scale up quickly and safely. The second reason took the thousand of Spotify developers into consideration. Muminovic explained that automatic testing allowed Spotify to, “keep developer needs top of mind and freeing up the developers to focus on their own priorities,” when implementing the security tests.
Snyk has built-in support for the majority of languages and frameworks Spotify required meaning vulnerability scanning is automatically embedded into the CI/CD pipeline. Spotify says, “the adoption has been seamless and hasn’t required any action from developers.”
Spotify confirmed that Snyk, “plans to extend support into other areas that were of interest to us.” For languages and frameworks outside of the automatic process with Snyk, Spotify provided a simple guide for developers to enable Snyk scans as a build step for their application. The number of scanned projects continues to increase.
Spotify takes two approaches to resolve threats once they are identified. The first approach is to automatically generate fixes and merge them without any intervention from the engineering or security teams. Snyk is a leader in this area as Spotify is able to track the life cycle vulnerabilities by using various APIs provided by Snyk and integrating that data into their internal vulnerability management platform.
The second approach is more labor intensive and includes source code analysis, fleet-wide upgrades through automation, and supply chain management to prevent vulnerabilities by focusing on security at every place of development.
The mantra within the security team is “to keep risking responsibly [as] attack vectors are evolving as quickly as the software industry. It’s important to provide a holistic approach to secure software development.” The automation and tools teams made “strong and valuable” contributions to secure software development at Spotify.
