Case Study: Lendi invests in dependency management solution

Australian home loan platform Lendi has undertaken a cybersecurity project to identify and fix dependencies.

Digital Nation Australia spoke to Cole Cornford, senior SecOps engineer at Lendi about its dependency management solution.

Cornford describes dependencies as the code pulled in from third parties used to develop software, that can sometimes have bugs in them that lead to security floors. Lendi chose the developer-first cybersecurity company Snyk to solve this problem.

According to Cornford, “A lot of the other existing products on the market were, I'd say that their focus would be for security professionals and not for developers. So Snyk have kind of flipped that around and said, ‘We're going to build a product where the developer user experience is the most important thing, rather than the security professional experience’”.

The company was looking for a solution that provided more maturity and less engineering effort than the majority of open source solutions in the market he said.

“As a developer myself, I understand why it's better. It's just something that's easy to use. It's quick and efficient. You can run it within your IDE, which is how you write your source code in the first place. Whereas a lot of the other tools happen after the fact as part of like an audit review or a compliance review and that's too late for a lot of engineers.”

After an initial penetration test that proved that Lendi’s dependencies were not being kept up to date, the company deployed the Snyk solution which initially showed a number of issues that Cornford said were expected.

“Initially it was lit up. Lots of red lights everywhere saying, ‘Hey guys, there's a lot of things to look at,” he said.

Lendi’s focus for the next quarter was to reduce the volume of vulnerabilities. According to Cornford, the business was able to reduce the number of critical and high vulnerabilities by 98 percent.

“Now the issue is not so much on the sheer quantity of problems it's on reducing the remediation, the amount of time that the problem exists. And so right now, it's a little bit longer than we'd like, but it's up to us as a security team to try to evangelise and get developers to continue using the tool as much as possible.”