Snap Finance

Navigating an increasingly complex set of AppSec tools

Snap Finance serves more than 3 million merchant and consumer customers, including more than half a million mobile users. For Kiran Sharma, Snap’s Senior Privacy Program Manager, Application Security (AppSec) has a direct impact on the bottom line. A fragmented tool set meant:

• Teams lacked a holistic view of vulnerabilities across applications.
• Triage and remediation efforts were stymied by a lack of context into vulnerabilities.
• Teams couldn’t accurately prioritize security issues, instead spending their time aggregating data from multiple sources.
• Developers lacked practical guidance, slowing down remediation and leaving potential security gaps.
• Overlapping functionalities led to duplicate vulnerability reports and an increasingly “noisy” environment.

Aware of the impact tool sprawl had on security, productivity and developer experience, Snap settled on two key priorities to unify its AppSec program:

• Consolidate solutions into a single platform to streamline processes and enhance coverage. This included:
  • Static Application Security Testing (SAST) to analyze source code for vulnerabilities without execution.
  • Dynamic Application Security Testing (DAST) to monitor application behavior in real time, detecting vulnerabilities during runtime and feeding the results into a centralized system.
  • Software Composition Analysis (SCA) to continuously scan third-party and open-source components for known vulnerabilities, ensuring efficient management of dependencies.
• Improve data integration to eliminate manual workflows, minimize errors and provide real-time, comprehensive visibility into the security posture of applications.

“When it came to our Application Security program, there were multiple tools that brought us vulnerabilities from different sources, different tools,” said Sharma.

Replacing tools with solutions

Sharma and the Snap team set out with a dual purpose: combine leading AppSec  solutions and meet developer expectations. Ultimately, they chose Contrast Security for its comprehensive real-time security, integrated workflows and advanced collaboration features.

Cloud-native support provides full coverage for cloud-based and microservices applications without adding unnecessary complexity. Support for Java and Node.js applications gives the team extensive vulnerability detection and comprehensive route coverage, ensuring that all execution paths in instrumented applications are monitored and protected. With Contrast’s GitHub integration, developers directly get vulnerability details in their repositories, allowing them to address issues during the development cycle, speed up remediation and stick to sprint deadlines.

Interactive Application Security Testing (IAST) was a critical factor. By embedding agents into the application runtime, IAST enables continuous, real-time vulnerability detection in testing and production environments. This eliminates the need for separate scans, reduces false positives and ensures that only exploitable vulnerabilities are flagged. Contrast’s integrated SCA capabilities scan third-party and open-source libraries without the need for additional tools. With dependency mapping and version-specific remediation advice, Sharma’s team can quickly identify and address security risks in external dependencies. Runtime analysis detects vulnerabilities in real-world usage without requiring a separate DAST tool. Full route coverage ensures that all potential paths within instrumented applications, including deprecated or “dead” routes, are analyzed.

0-100 in less than two months

In less than two months, Sharma’s team was able to deploy Contrast agents across development, testing, staging and production environments. Contrast Security’s lightweight agents are engineered for minimal overhead, maintaining optimal application performance even in high-demand environments.

By integrating the Contrast Runtime Security Platform into its continuous integration/continuous deployment (CI/CD) pipeline through application programming interfaces (APIs) and native integrations, Snap Finance automated security checks at every build and deployment stage. This continuous, automated approach functions like an embedded pentesting solution, seamlessly preventing builds with critical vulnerabilities from advancing to production through custom policies.

Contrast has become a cornerstone of Snap Finance’s DevSecOps practice, offering real-time security feedback loops to developers and security teams alike. Developers benefit from vulnerability alerts as they code, along with precise remediation guidance that includes stack traces, code snippets and step-by-step resolutions. The integration with leading integrated development environments (IDEs) like IntelliJ IDEA and VS Code meets developers where they are, embedding security into their natural workflows.

One of the most impactful features for Snap Finance has been the centralized reporting and analytics capabilities Contrast provides. The unified dashboard offers a comprehensive view of all security metrics, delivering a single pane of glass for real-time insights and historical vulnerability trends. This visibility extends across the organization, with customizable reporting tailored to the needs of compliance, executive teams and other key stakeholders.

“With Contrast, we were able to combine multiple areas of our Application Security into a single platform,” Sharma said.  

Turning expectations into outcomes

Snap Finance streamlined its AppSec by replacing multiple disparate tools for SAST, DAST and SCA with Contrast Security's unified platform. This consolidation eliminated overlaps and gaps caused by fragmented systems, providing a centralized view of all vulnerabilities. By having all security data in one place, the team improved visibility and efficiency, allowing team members to focus on high-priority issues and better defend against threats like injection attacks, cross-site scripting (XSS) and authentication flaws.

IAST enabled Snap Finance to embed agents directly into application runtime environments. This allowed for continuous, real-time detection of vulnerabilities during development, testing and production without the need for separate scans. By flagging only exploitable vulnerabilities and reducing false positives, the team could immediately identify and address security issues as code executes, mitigating risks associated with zero-day exploits and runtime attacks.

Integrated SCA continuously scans all third-party and open-source components for known vulnerabilities without additional tools. Dependency mapping and version-specific remediation guidance helped the team efficiently manage external libraries and quickly address security risks. This proactive approach safeguarded them against supply-chain attacks, dependency confusion and exploitation of known vulnerabilities in third-party code.

Integrating Contrast into the company’s CI/CD pipeline has automated security checks at every build and deployment stage. The integration allows for continuous, automated security processes that act like an embedded penetration-testing solution. Custom policies prevented builds with critical vulnerabilities from advancing to production, ensuring that only secure code was deployed and reducing risks from configuration flaws and insecure defaults.

Contrast Security's platform provided developers at Snap Finance with in-context vulnerability alerts and detailed remediation guidance in their preferred IDEs, including IntelliJ IDEA and VS Code. This means developers can identify and fix security issues as they code, complete with stack traces and code snippets. By embedding security into natural workflows, the development process became more efficient, reducing potential code injection flaws, logic errors and authentication issues.

One of the reasons Sharma and the Snap team initially set out to replace their AppSec tools was a lack of context. Teams knew they had open vulnerabilities, but they lacked contextual analysis to identify vulnerabilities that were actually exploitable. By prioritizing vulnerabilities based on severity and exploitability, the security and development teams spent less time investigating non-issues and more time addressing critical threats. This efficiency minimizes resource drain and ensures that critical vulnerabilities are promptly remediated.

Another dealbreaker was cloud-native support, a must-have to cover cloud-based and microservices applications, including those built with Java and Node.js. Application flow mapping provided enhanced visibility into how Snap Finance’s applications interacted with cloud services and external APIs. This allowed the team to more effectively identify and address potential vulnerabilities arising from cloud dependencies and configurations, thereby defending against API exploits and cloud configuration vulnerabilities.

Contrast’s GitHub and Slack integrations improved collaboration between security and development teams. Developers could view vulnerability details directly in their code repositories, allowing them to address issues during the development cycle. Customizable alerts in Slack reduced noise by focusing on critical issues relevant to specific products or projects, enabling real-time collaboration and swift action to prevent unpatched vulnerabilities and reduce risks from insider threats.

Finally, a centralized dashboard for comprehensive reporting and analytics gives Sharma’s team real-time insights and historical trends on vulnerabilities, tailored to the needs of compliance teams, executives and other stakeholders. This enterprise-wide visibility aids in regulatory compliance, early detection of potential breaches and identification of long-term attack patterns, strengthening overall security posture.

Key benefits:

• Streamlined workflows: Reduced tool complexity and improved efficiency.
• Enhanced security posture: Real-time, accurate detection of vulnerabilities.
• Faster development cycles: Immediate feedback without compromising security.
• Effective risk management: Prioritized remediation based on severity and exploitability.

By consolidating multiple security tools, Snap Finance significantly enhanced its AppSec posture. This holistic approach streamlined workflows, improved collaboration between development and security teams, and embedded security into every stage of the development life cycle. As a result, the company now benefits from improved risk management; efficient vulnerability prioritization; and a robust, cloud-native security solution that supports its modern application architectures.

“Now, we have a unified platform that presents all vulnerabilities in one single pane of glass, allowing us to focus on the highest priority and critical issues,” Sharma said.