Case study: Skyscanner
State of Open: The UK in 2022
Phase One “The Open Source Journey”
Christian Martorella,
Chief Information Security Officer
Synopsis
Skyscanner, a travel search engine, champions an “Open Source first” approach, to building its infrastructure and online services on Open Source Software (OSS). Utilising Kubernetes and security tools like Sysdig Falco, Skyscanner ensures container security and intrusion detention. Actively contributing back to the OSS community, the company shares in-house projects and tools. “Backpack”, a vital part of their infrastructure, streamlines product development with design resources and reusable components. GitHub showcases their contributions, including Turbolift and CFripper. Skyscanner prioritises security, implementing policies to manage supply chain vulnerabilities. Challenges include maintaining libraries, evaluating dependencies, and a global skills gap in OSS, particularly in security. Despite challenges, the company views OSS as a key enabler, facilitating faster and better services.
4.2 Case Study – Skyscanner
Christian Martorella, Chief Information Security Officer
Skyscanner is a travel search engine based in Edinburgh, Scotland, founded in 2001 and supporting customers researching travel options. It is available in 30 languages and used by 100 million people per month. The entire business infrastructure and online services are built, managed and maintained on Open Source Software and so their services are provided using Open Source Software. It is at the heart of Skyscanner’s success.
The Origin: an Open Source first approach
Open Source Software is in Skyscanner’s DNA From libraries, to frameworks, to tooling. Kubernetes, security and developer tools and libraries permeate its infrastructure. Christian explains that “We have an Open Source Software first approach. If there is something that is already built and fits the bill, we explore that option. Our business is to build value for travellers, that’s why we want our engineers thinking and working on the innovative features that will bring value and are built on existing Open Source Software.” This is how they deliver their core value proposition with optimised efficiency.
Backpack – the codification of design for the systems in Skyscanner forms a critical part of Skyscanner’s infrastructure. It works on all platforms including mobile. It is reliant on a collection of design resources, reusable components, and guidelines for creating products with ease and consistency. It empowers their workforce to deliver high quality solutions at speed, and includes theming, RTL and dark mode support.
Skyscanner uses security tools such as Sysdig Falco and four projects have been developed by their security team and made publicly available as Open Source Software using this. Falco is a container native runtime security solution focused on intrusion and abnormality detection and which uses the Open Source SoftwareLinux Kernel tooling built by Sysdig to generate alerts based on a custom rules and a macros engine.
As Skyscanner were moving to Kubernetes it fitted their security tool roster perfectly. Some of the key features that were seen as beneficial and supported the decision to use Sysdig Falco:
- Complete container visibility through a single sensor that allows them to gain insight into application and container behaviour
- Easy installation as a Daemonset, ready for Kubernetes
- Adoption into the Cloud Native Computing Foundation (Incubated project)
- Active open-source community
The Ethos: from consumption to contribution
Skyscanner actively contributes back sharing elements of Open Source Software that they have built in-house for others to use. Christian strongly emphasised that as an organisation they value and understand the importance of giving back to the community and actively try to be ‘a good global software citizen,’ by making their code Open Source Software and sharing it.
Skyscanner has its own GitHub.io page to showcase the main projects they have released and some of the latest projects there include Turbolift, CFripper and Whispers. All of which have been covered in multiple industry articles and available here -https://github.com/Skyscanner?language=python.
He goes on to say, “The concept of contributing to Open Source Software is strong in the company,” as the culture encourages conversation around open source projects and supports interested developers on their journey by providing them with the necessary tools to progress their personal contribution and skills development. Skyscanner gives back to the community with intention, allowing other companies and coders to benefit from their work.
This contribution is not entirely altruistic and Christian recognises the benefits “Using Open Source Software can also get people to contribute to our code, and gives us an opportunity to showcase what we do within Skyscanner to our peers.”
Open Source Software is considered by them to have a lot of pros, such as the ability to access and make use of good quality code at no cost but one of the main benefits Skyscanner leverages is agility and speed.
Noting, “You can build your services/features much faster with Open Source Software, as you can get many of the things that you need ready-made. It’s about integrating them and making them part of your service. And that’s the thing you gain… you gain a lot of time, so you can go faster to the market on features.” This in turn supports Skyscanner’s core business needs, allowing them to spend time focusing on their core value proposition by removing the need to reinvent the wheel.
An open ecosystem: policies and guidelines
Skyscanner recognised that increased digitalisation brings increased complexities, especially in relation to cybersecurity threats, saying “there is more risk in the cyber world.” This has pushed Skyscanner to actively implement policies and standards to manage the security of supply chain vulnerabilities and manage and
monitor attacks. As he says of this supply chain focus, “our pipeline is designed and implemented in order to prevent any issues with Open Source Software. It’s a big part of the security team’s focus.”
To improve their processes around Open Source Software, Skyscanner have refreshed and reviewed their internal organisational Open Source Software policy and guidelines and simplified the guidance to ensure it’s clear and easy for engineers to follow. The Legal and Security teams have collaborated and created a new policy, centralising all of the processes for Open Source Software. They’ve also produced different open source policy and procedure documents, which are organised depending on if you are consuming/adopting, contributing to, or releasing/ distributing Open Source Software. Mainly to give them a uniform and responsible way of adopting and using Open Source Software and projects.
Christian strongly believes that the way forward in managing software risk and open source practices is reliant on creating secure systems and guidelines, although he acknowledges that it is complex to implement security at every level and invest in resources and tooling. He feels that Skyscanner is quite mature in its security journey and has successfully embedded it as ‘part of their processes.’
Combating the challenges of Open Source Software
Despite all of its benefits, Open Source Software like anything comes with some challenges. Maintaining and keeping up to date libraries could become taxing for the teams, security threats in the supply chain are on the rise, and abandoned projects are a common occurrence – to name a few.
Supply chain security is a key challenge identified by Christian. He elaborates that “When you import an open source project, it tends to have a number of dependencies – understanding the security of all that software in terms of who is maintaining it, how many people have left the project, if they have adequate security controls, is it being updated frequently or not and whenever there is a vulnerability in any of those libraries. All of this is critical.” Finding the answers for these questions can be tricky without automated solutions.
When adopting a new open source dependency in the organisation, staff are encouraged to review Skyscanner’s Open Source Software due diligence guidelines for a checklist and reminder of things to consider. Christian believes it is important to mindfully evaluate a new library, as they might become a burden if we don’t choose the right one.
Caution should be exercised, because whilst it can be simple and frictionless to include a new library in your project, the consequences of not being diligent with the choice can be disproportionately significant. An important aspect of choosing the right project is which open source licence is used for the software Skyscanner has a commercial solution that scans all the open source libraries that they consume and highlights vulnerabilities, informing them of the overall health of the project. It allows developers to choose between two different open source projects that are the same or similar and better understand the elements of licensing, governance and hygiene – “behind the scenes” – that determine the project’s longevity and health.
Accessing skilled resources is another challenge. Christin notes a skills gap in Open Source Software, specifically in security. “Finding professionals with experience, for example a security engineer, is not easy. It’s no longer a UK problem – it’s a global problem, talent is global now. And as you’re competing with all European companies, talent has more options, and the company has less autonomy. It’s difficult to hire talent and you have to be open to hiring remote and to relocate and to find people in other pools, because it’s very competitive.”
Skyscanner’s position on Open Source Software
Skyscanner champions Open Source Software both internally and externally, with a strong vision for its use in their future endeavours. They see it as being an enabler in improving their products and services, as Christian sums it up by saying, “Open Source Software is a great concept that has enabled us to build our services faster and better.”