CovertSwarm and Fintech: Snoop Case Study

By Jamie West – Head of DevSecOps at Snoop

Overview

Snoop is a fast-growing fintech app with over 300,000 users – a free money management app, helping you track your spending, set budgets, cut your bills and control your finances. Previously we followed a traditional point-in-time security testing approach to help assure the security of our systems, relying on annual or more frequent penetration tests. However, as a small team, we recognized the need for a more efficient and effective approach. Transitioning to a modern continuous testing framework, supported by a red/purple team, allowed us to optimize our resources and enhance our security posture. This shift made better use of our time and improved our ability to address vulnerabilities proactively.

At Snoop, we’ve always believed we do an exceptional job of securing our systems and, most importantly, our consumer data. However, despite regular penetration tests, we still lacked true peace of mind. Engaging CovertSwarm has really helped to fill that gap. In a world where it is increasingly and painfully evident that everybody is secure until they are not, having a long-term, established relationship with exceptional talent is essential to providing us the assurance we need in the controls and processes we have built here at Snoop.

Challenge

Our initial cybersecurity posture as a startup was focused on establishing a solid foundation while maintaining agility. We relied on traditional penetration testing at key release stages to provide technical assurances and engaged with external partners to establish and provide annual assessments of our governance/risk framework.

The main point of concern for Snoop was that traditional point-in-time penetration testing only provided a snapshot of our security posture, and even then, often only of limited scope. We were building on top of a very reactive, limited, and resource-intensive approach to cyber security – an approach disconnected from our rapid development and agile approach to business and software development.

Objectives

We needed to evolve our cybersecurity posture into a more proactive, continuous, mature approach. In doing so, we also wanted to be able to best utilize resources within a small team by building a strong relationship over time with a partner of experts rather than constantly hitting pause on other work to onboard point-in-time pen testers.

The Approach

We work closely with the CovertSwarm team via Slack and, more formally, via regular cadence calls. Not only do we liaise with the team to get eyes on pieces of functionality or areas in our tech estate, but we also often lean on them for additional opinions on day-to-day activities (emerging threats we see and weird behavior). When working on new higher-risk functionality, we work with the team on early requirements and design to gain insight as early in the SDLC (Software Development Life Cycle) as possible.

The CovertSwarm Portal gives us regular new intel, relying on push notifications into Slack between these checkpoints for up-to-date events. When vulnerabilities are identified, the team is prompt in reassessing to confirm the desired outcome of any potential remediations.

The CovertSwarm Portal is fantastic and really highlights the friction of relying on colossal PDF reports. Do not get me wrong – PDF reports still have their place, we can and do get more formal reports from CovertSwarm to satisfy external requests. However, interacting with the portal to assess new vulnerabilities and to understand attack maps is significantly more intuitive for day-to-day operations.

Review

We have an amazing relationship with the whole CovertSwarm team, which is full of incredible people with incredible expertise. Our ability to chat daily via Slack works perfectly with our existing day-to-day operations, and at times, it can be easy to forget we are working with an external partner.

The team at Snoop is fully stocked with cybersecurity experts, but we are only so many people, and we can only do so much. Our solid foundation is amplified by the ability to lean on CovertSwarm’s more granular expertise and subject matter experts to provide insight and assurance we cannot otherwise access anywhere near as easily.

The CovertSwarm team is how we stay ahead in the increasingly aggressive world of cyber security; by collaborating with them fluidly we’ve learned so much. We all need to be well-equipped to protect our systems and consumers, and part of that means leaning on other experts when needed.

The people and their agility make this partnership strong. We are a small, multi-disciplined team at Snoop. We do not have an internal offensive security team to provide assurance, and our resources and tooling can only take it so far. CovertSwarm, however, provides assurance to our controls and strategy by throwing real people at our perimeter and internal systems, both anywhere and nowhere we want them – and they tell us where we are falling short whether we like it or not, which is exactly what we want.