Spotify recently introduced its security vulnerability management platform, Kitsune. Right from vulnerability detection to providing insights based on metrics, Kitsune manages the overall security vulnerability lifecycle.
Elaborating on the journey, Spotify's engineering blog mentioned that Kitsune started as a backend API service. At Spotify, assessing the vulnerability and reporting it on a vulnerability detection service is called a reactive control (RC). Kitsune started with vulnerabilities reported by two reactive controls. The aim was to cater to other RCs as well, so the team came up with a "mediator" to manage RC-specific business logic and create corresponding data compatible with Kitsune. Furthermore, Kitsune also supports uploading CSV files for reporting vulnerabilities.
Source: Spotify’s Vulnerability Management Platform
Backstage, Spotify’s open-source platform for building developer portals, keeps a track of vulnerabilities assigned to each team. Kitsune has a Backstage UI plugin for user interactions. As a process, before sprint planning, teams can go to Backstage and review the vulnerabilities assigned to them, to include the fixes to be done in their day-to-day work.
Leveraging the relational data, Kitsune generates metrics that help Spotify teams understand the current risk of each unit within the org and how the vulnerabilities are dealt in the past. The data collection not only enables security teams to plan strategies but also facilitates quarterly reports creation, further sent to the upper management.
As a side, Backstage was in the news due to a critical security flaw. Exploiting the vulnerability (CVSS Score: 9.8), a threat actor could remotely execute unauthenticated code in the project. Spotify was quick to remediate the vulnerability, urging the users to update Backstage to version 1.5.1.
Market trends such as remote workforce, and digital transformations necessitate a vulnerability management system. It is projected that the global Security and Vulnerability Management Market size will grow from USD 13.8 billion in 2021 to USD 18.7 billion by 2026.
Initially, to handle notifications, the engineering team at Spotify used Comet. It helped cover the basic automation part of notifying the teams of vulnerabilities. Once the team had remediated the vulnerability, there was a resolve button to communicate the fix. However, looking at the scope of the vulnerability lifecycle, the engineering team realized that they needed more states than those supported by Comet.
Kitsune’s development started one and a half years ago and it continues to evolve. There are a lot of improvements in sight. The Spotify engineering team understands that reducing security risks in an efficient and scalable manner is a continuous process, and needs engagement from the teams.