UPDATED 20:00 EDT / MAY 28 2021

SECURITY

Docker’s partnership with Snyk focuses on developer-first security

Developing secure code is crucial, yet it’s surprising how often that basic need is overlooked.

According to research by Enterprise Strategy Group, 48% of organizations surveyed admit to knowingly pushing out vulnerable code regularly, with only 14% claiming to have never released vulnerable code in their company’s history. Docker Inc. announced last October a new partnership with Snyk Ltd., a developer-focused security solution, with the goal of alleviating developer insecurity and reducing the overhead of managing containers.

Snyk is a developer-first company, providing tools to aid developers.

“It’s important you go to where the developers are, and developers on Docker are in places like the Docker Hub or the Docker [command line],” said Simon Maple (pictured), field chief technology officer at Snyk. “But the core is to get that insight, that visibility and that remediation directly in the Docker environment. That’s what makes the relationships powerful: the fact that you combine everything together and you do it at source.”

Maple spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during DockerCon. They discussed Decker’s new partnership with Snyk, container security, malware, automation and more. (* Disclosure below.)

Containers containing malware

Although containers reduce overhead and increase efficiency, they introduce a cache of new security issues. Portability is one of containers’ biggest strengths, but malware can also travel with containers, as happened with the infamous Doki malware that hit in 2020.

“When we think about malware that’s running, there are certain things that we need to  consider,” Maple. said. “What do we have in place in the runtime that can detect that these issues are happening? How do we block that, and how do we provide that information back to the developer? This area is important to  being able to identify or monitor those environments and then feed that back.”

Static issues is another aspect to consider when identifying potential malware threats, such as problems with key binaries in Docker containers.

Results in automation

Automation is a hot topic in DevSecOps as well, and the evidence shows why. Snyk recently released its “State of Cloud Native Application Security” report, which revealed that automation empowers shift left security.

“The most automated teams were twice as likely to test in IDEs and testing your CLIs in local development. Now, those are areas that are really hard to automate,” Maple said. “Having a full automation and full proper testing throughout the [system development lifecycle] actually encourages and makes developers test more in their development environment. Crucially, 73% of our respondents were able to fix a critical issue in less than a week, as opposed to just over 30% of people that were not automated.”

Docker’s partnership with Snyk seeks to make it easier for developers to regularly test and keep their data up to date.

“We start as far left as we can in integrating CLIs into a Docker Hub and Docker scan,” Maple explained.

With this, developers are able to use Docker desktop with Snyk already embedded. Snyk will monitor tests and automatically and send pull requests when new fixes are needed, as well as run container tests in CLI.

“In our [user interface], we provide the ability to say, ‘This is the base level you should or could be at; it will reduce your number of vulnerabilities by X, and as a result, you’re going to be that much more secure  across the pipeline,’” Maple said, outlining how Snyk’s integration will provide potential plans of action to developers to eliminate risk.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of DockerCon. (* Disclosure: Snyk Ltd. sponsored this segment of theCUBE. Neither Snyk nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU