Breathe Life is a life insurance technology company based out of Montreal that has built a platform making it easier for life insurance carriers to distribute products. They provide life insurers with best-of-breed tools to increase the speed of policy delivery while reducing operational costs.
Because of the sensitive data that gets processed through the platform, it is essential for Breathe Life to keep their application secure.
“In the insurance industry, we're dealing with very sensitive data,” said François Allard, Breathe Life’s Director of Engineering for Platform Teams, “We're subject to very strict regulations and laws because we handle PII and PHI like Quebec's Bill 64, the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), for example... We know that in order to scale, we need to put security up front in our process.”
Recently, Allard went searching for developer-centric security tooling that would make it simple to scale application security across the entire engineering organization at Breathe Life. He ultimately made the decision to deploy Snyk and StackHawk together so engineers could find and fix security vulnerabilities earlier in the development lifecycle.
Breathe Life’s Drive to Prioritize Developer First Security
Allard set out with the very conscious decision to create a security program that works for developers.
“We’re not trying to come up with a new way of working, we're pulling on industry best practices. We can see the value it provides by knowing upfront that our product is secure. Waiting until production becomes a lot more costly and also introduces the potential for a breach."
To execute upon this vision, Allard began searching for developer-centric security tools that could be integrated into the development process. Of equal importance was a model of security that allowed for individual developers to take ownership of the code they were creating.
“We used to be kind of a typical DevSecOps team in our organization. But, we did not want to have this centralized team that deals with all things security, and DevOps, and pipeline,” Allard recalls. “We wanted security to be a shared responsibility across the organization. So we needed to provide our team with the tooling and best practices so all teams could do that.”
Finding the Right Tools
Allard knew there was no silver bullet to solve all of the needs he had for application security. Instead, he sought to find best-in-class tools that would make his vision for a scaled application security program possible.
He first discovered Snyk, and later StackHawk, and recognized that the two had a “similar dev-centric approach.” As a result, he chose to build a program with these two partners.
Protection from Transitive Dependencies
Allard began his search for application security tooling by trying to find a Software Composition Analysis (SCA) tool that could notify developers about dependencies in open source libraries that his team was using.
“Something that we liked about Snyk was helping with transitive dependencies. It sounds minor, but for us it was something major because of the stack that we use,” said Allard, “We use Javascript and the amount of transitive dependencies is so huge that if you only cover the surface for your first dependencies that you depend on, you’re at risk. Snyk provided that extra detail that made the fix a lot more efficient.”
Dynamic Security Testing for Single Page Apps and Backing APIs
While Snyk’s SCA tool helped Breathe Life secure the open source libraries they used, Allard was also looking for a Dynamic Application Security Testing (DAST) tool, to ensure that Breathe Life’s proprietary code was also protected.
His team was building a Single Page App (SPA) that relied on Javascript and backing APIs. Existing tools in the market were falling short of what Allard knew he needed.
“One of StackHawk’s key differentiators was the ability to leverage the Open API spec in order to better scan the application. The typical Ajax spider from other products are pretty limited in what they could find… there was no real part of our application that was tested,” said Allard,
“The StackHawk scan with the Open API showed us that the real application was being tested and it's not just checking the box to meet some compliance requirement that we have.”
But it wasn’t just the findings that impressed Allard. It was also what his team could do with them.
“Managing findings is another thing we like with StackHawk. Being able to easily manage those, and not adding noise to scans when you have the same thing over and over is super helpful,” said Allard.
Measuring the Impact of Developer-First Security
Allard is early in the journey of deploying Snyk and StackHawk, but is already reaping the benefits of having greater confidence in the code that is shipped.
“We’re not a massive organization so it’s not like we had a cumbersome security process. We are putting those new things in place to help harden our platform security and shift left,” said Allard, “With these tools, I can breathe more and people on my team can breathe more. It allows us to have more confidence in what we're building and that we don’t have those obvious vulnerabilities.”
The more exciting part for Allard is the future. “As we grow, we'll have more and more ways to automate….We are putting the building blocks in place so developers can take on these types of responsibilities.”
