Onna Technologies, a data centralization software company, integrates security across every facet of their development process by using Snyk and Sysdig together with Google Cloud.
We recently sat down with Onna’s Brent Neal (Director of Security), Mike Hoffman (Lead Security Engineer), and Andrew Leeb (Senior Software Engineer) to discuss data protection and compliance, cloud security priorities, and the benefits using Snyk and Sysdig for complete end-to-end container security.
Take a look below for some of the highlights from this fascinating conversation.
Q: Who is Onna Technologies and who are your customers?
Brent Neal: We are the security team behind Onna, a data integration platform that accelerates the discovery of knowledge, enabling businesses to gain valuable insights from their collaboration, communication, and content applications.
Onna’s Knowledge Integration Platform connects to today’s most popular cloud applications, including Slack, Microsoft 365, Google Workspace, Zoom, and others to augment activities like eDiscovery, information governance, knowledge management, and identifying private and sensitive data sharing.
We support some of the world’s leading tech companies such as Dropbox, Lyft, and Electronic Arts, helping them save time and money, reduce risk, and leverage knowledge to be more competitive.
Q: What can you tell us about your priorities when it comes to cloud application security?
Brent Neal: There are three vital areas our customers expect us to uphold and that we must excel at delivering 24/7. These include maintaining the:
- privacy of individuals and their sensitive information,
- confidentiality of client data and business activities,
- and compliance with applicable regulations.
As a Kubernetes shop, meaning everything is containerized, we use Snyk and Sysdig for complete container security. These solutions improve our vulnerability management program by giving us the ability to quickly identify vulnerabilities and prioritize remediation efforts. We also rely on Sysdig for threat detection in our production environment. The main benefits include a much stronger security position, greater ease in meeting compliance requirements, and simplified evidence collection for audits.
Snyk saves us time and money by enabling us to practice true shift left security, so we can pinpoint things like vulnerabilities and licensing issues earlier in the pipeline. Additionally, Snyk increases customer trust in Onna because they can take comfort in knowing that we leverage a state-of-the-art solution to protect their data and privacy.
Q: To what degree does Onna prioritize open source security?
Mike Hoffman: Open source security is a top priority for Onna. Of course, the many benefits of using open source software come with risks. We’re aware that problems can arise with application dependencies and libraries, bringing in their own set of complications from licensing issues to vulnerabilities.
However, Snyk’s software composition analysis (SCA) functionality gives us improved visibility into the libraries and dependencies we use, along with the crucial ability to detect and fix vulnerabilities during development. Overall, Snyk has significantly improved our software development lifecycle (SDLC) by making it much more secure.
Sysdig, of course, is built on open source tools – Falco, which they created and is now the de facto cloud-native threat detection standard, along with Sysdig open source, OPA, and a few others. Using Sysdig, we understand what is under the hood and have a widely adopted standard with enterprise features and scale.
Q: What have been the main challenges with your adoption of developer security operations (DevSecOps)?
BN: So far, the biggest challenge with adopting DevSecOps is worry about affecting the speed of development. Our goal is to ease these fears by empowering developers with tools that integrate security seamlessly into their existing processes and workflows.
From a business perspective, we want to ensure our product development process is as agile as possible. Because Snyk allows us to shift security left, the amount of “rework” required to fix an issue is exponentially less than it would be if it were discovered later on in the process.
Currently, a handful of developers have been introduced to Snyk and we plan to roll it out across the entire team. Our goal is to integrate Snyk everywhere so that all of our developers can see the vulnerability firsthand while learning how to overcome it before it gets very far in the pipeline.
Q: What led to your decision to adopt container scanning and static application security testing (SAST)?
BN: Many of our customer security questionnaires ask, “What application do you use for SAST?” or “How are you protecting your containers?”
Snyk allows us to clearly answer those questions with an industry-leading product. Essentially, we can give our customer the assurance that we are scanning our code and taking the necessary measures to protect their data.
Q: What were the security needs that led you to Sysdig?
BN: From a technology perspective, the biggest components of our use case focused on:
- Enterprise class security to protect customer data and satisfy internal needs. That meant Kubernetes security for our Google Kubernetes Engine (GKE) environment. It is not enough for us to pass compliance –– we need strong, real-time detection to protect production workloads.
- The capability to scan for vulnerabilities and misconfiguration, blocking risky builds and configurations before they reach production.
- Prioritizing vulnerability remediation so our developers could fix issues that pose a real risk.
Sysdig was able to meet these requirements and deliver features that have dramatically strengthened our security. Because Sysdig prioritizes vulnerabilities and provides accurate threat detection, we save time for developers, DevOps, and security teams.
Another tremendous benefit has been the ongoing support we receive from the Sysdig team. Since our first meeting, Sysdig has been incredibly responsive and makes problem-solving simple. That type of relationship is extremely important to us at Onna.
Q: How are you using Sysdig’s runtime security? Can you provide examples of the types of policies you’ve enabled for your environment?
MH: The biggest benefit of Sysdig is that it improves our security posture. Sysdig gives us the tools and visibility we need to ensure that we can keep both our own and our customer’s information secure, while adhering to our own internal policy, regulations, and customer obligations.
Sysdig provides a powerful host-based security solution that helps us monitor our environment effectively for a multitude of potential threats. We have policies that alert us on improper access to systems, use of network tools, changes to certain files/directories, and lateral movement throughout the environment. Not only does it provide these alerts, but it also helps give the security team an idea of how certain components function normally in our environment.
Q: What is the benefit or outcome you hope to achieve by using the Snyk + Sysdig integration?
BN: The Snyk + Sysdig integration will help us continue to refine our shift left approach, reduce our costs, deliver products and features faster, and improve our security posture. Once the Synk + Sysdig integration is rolled out toward the end of this year, our primary use case will be prioritization. Ultimately, it will give us a better idea of what security issues need to be fixed and how to prioritize them.
Q: What advice do you have for organizations that are hesitant to invest in an integrated software security tool?
BN: I would suggest that organizations analyze the cost of rework and lost time that occur in the absence of shift left security. The more things are shifted left, the more you will see a significant cost reduction and efficiency increase from baking security directly into the SDLC.
See the power of Snyk + Sysdig for yourself
Looking to ship your Kubernetes apps faster while maintaining end-to-end container security? Adopting the Snyk + Sysdig integration can instantly eliminate up to 95% of the vulnerabilities that would otherwise take months to fix.