Our Experience Building the Synk Integration

Blog
'Inside Security'
Leen Security
July 8, 2024

Leen is building a unified data API for cybersecurity. A unified API platform allows you to manage integrations at scale, save developers time, delight end users, expand into new markets, empower your go-to-market teams, and build customer loyalty.

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.

AppSec is a dynamic and evolving field that requires continuous adaptation to stay ahead of emerging threats. The AppSec category addresses vulnerabilities and security issues at the application level, an area of increasing concern as organizations rely heavily on software applications to drive their business operations.

The Synk integration marks a significant milestone for Leen, being the first integration for the AppSec category and introduces OAuth2 authentication instead of using traditional secret keys.

Snyk's OAuth2 framework is a secure way for users to access its services and resources. It's a widely used standard for authorization, ensuring safe access to protected resources by applications on behalf of users.

This integration enables Leen to retrieve issues from code repositories, covering both Software Composition Analysis (SCA) and Static Application Security Testing (SAST). SCA identifies risks in open-source software dependencies, while SAST examines application code logic to find potential vulnerabilities.

Planning and Designing the Integration

The journey began with planning and designing with Synk’s partnerships team.

The early conversations between the two teams were focused on leveraging Snyk's OAuth2 framework. Our team also spent a considerable amount of time analyzing documentation and API references. Here's why this was essential:

  1. Understanding Authentication Mechanism: OAuth2 is a complex framework with various grant types, authentication flows, and security considerations. By studying Snyk's OAuth2 documentation, our team learned how authentication and authorization work within the Snyk ecosystem, which is crucial for a secure and effective integration.
  2. Identifying Available Endpoints: API documentation typically outlines the endpoints available for interacting with a service or platform. By studying Snyk's API references, we were able to identify the relevant endpoints for initiating the OAuth2 flow, exchanging authorization codes for access tokens, and accessing protected resources. This was important for designing and implementing the integration workflow.
  3. Handling Error Responses: API documentation often provides detailed information about error responses and error codes that may be returned by the service. Snyk's API documentation helped us understand potential error responses and codes, enabling us to anticipate and manage errors for a smooth integration.
  4. Compliance and Best Practices: Documentation often includes information about compliance with industry standards and best practices for using the API securely. By following Snyk's API guidelines and best practices, our team ensured that the integration adhered to security standards and recommended practices.
  5. Optimizing Performance: API documentation provides insights into performance considerations, rate limits, and optimization techniques. Insights from Snyk's API documentation allowed us to enhance the integration’s performance by minimizing latency, reducing API calls, and improving efficiency.
  6. Integration Testing: Comprehensive documentation also facilitates integration testing by providing clear instructions, sample requests, and expected responses. With Snyk's API references, we could create and run test cases to verify the integration's functionality, reliability, and performance

Overcoming Technical Challenges & Ensuring Reliability

On our end, the integration was led by Harsh Patel, our Founding Engineer.

Our primary challenge revolved around OAuth2 authentication, especially in managing secure access tokens and handling callbacks for Snyk's APIs. Access tokens, essential for API access, have a limited lifespan, while callbacks needed precise management to ensure smooth authorization flows.

The team also faced issues with inconsistencies between Snyk's legacy and updated APIs, with differences in data formats and authentication methods. To address this, our engineers adopted a hybrid approach, integrating both API versions to leverage new features while maintaining compatibility with existing systems. This strategy ensured seamless and secure API integration.

As a security company, it was essential to keep everything secure and reliable. We used AWS Secrets Manager to safely store credentials like API keys, ensuring they were encrypted and protected. We set up strict access controls and used isolated environments to further protect against unauthorized access. Additionally, we automated the process of retrieving these secure details to minimize human-error and maintain high security while keeping our operations efficient.

This comprehensive approach helped us ensure that customer data was safe throughout the integration process.

Insights Building the Synk Integration

Data integrations are complex endeavors that require attention to detail and careful planning to ensure successful implementation. Several factors contribute to the inherent difficulty of data integrations:

  1. Data Complexity: Managing various data sources requires understanding their formats, structures, and how they interact to ensure smooth integration.
  2. Data Quality: Common issues like inconsistencies, inaccuracies and duplicates need thorough cleansing and transformation to integrate only reliable data.
  3. Data Volume: Handling large data volumes demands efficient processing techniques to avoid performance issues and scalability concerns.
  4. Data Security and Compliance: Integrating multiple data sources necessitates strict security measures and compliance with regulations like GDPR or HIPAA to protect privacy and avoid legal issues.
  5. Integration Complexity: Differences in APIs and protocols across systems add complexity to data integration, requiring robust workflows to ensure seamless data exchange.

To reliably execute data integrations, we recommend considering these key principles:

  1. Thorough Planning: Success hinges on a well-crafted integration strategy and roadmap. This involves defining requirements, identifying data sources and targets, setting up data mappings and transformations, and planning testing and validation.
  2. Attention to Detail: Maintaining data integrity and accuracy requires careful attention to data structures, formats, and semantics. Comprehensive data profiling, validation, and reconciliation are necessary to spot and correct discrepancies.
  3. Robust Testing: Comprehensive testing is crucial to ensure the functionality, performance, and reliability of the integrated system. This covers unit, integration, and end-to-end tests to check data consistency and compliance with business needs.
  4. Monitoring and Maintenance: Ongoing monitoring and maintenance are essential to keep the integrated systems reliable and high-performing. This includes checking data quality, tracking system performance, monitoring error logs, and taking proactive steps to address issues and enhance performance.

For engineers embarking on similar integration projects, the advice is clear:

  • Prioritize proactive communication
  • Adhere to best practices, and
  • Embrace iterative development

Writing comprehensive tests, focusing on clean data modeling, and leveraging established patterns are essential for navigating the complexities of integration projects effectively.