UPDATED 17:54 EDT / JANUARY 17 2022

CLOUD

How Snyk’s approach to application security remedies shift-left shortcomings

Software developers rarely have it easy. From writing, editing and pushing code to fixing the bugs and security issues that show up through production, the expectations most organizations have of their development teams are immense.

The “shift-left” approach was conceived to root out security problems at the earliest stage of development, but in some ways, it has added to the degree of complexities facing developers.

“The landscape is changing, both developer and security; it’s just not what it was before,” said Liran Tal (pictured), director of developer advocacy at Synk Ltd., a developer focused all-in-one platform for securing code, dependencies, containers and infrastructure as code. “And what we’re seeing is developers need to be empowered. They need some help, just working through all of those security issues, security incidents happening, using open-source, building cloud-native applications.”

The modern development arena is changing, and so a few mainstay practices don’t quite apply as seamlessly as they used to. Proactivity is an element that’s missing in the traditional shift-left process and is desperately needed in today’s landscape, according to Tal.

Tal spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, in advance of the upcoming AWS Startup Showcase: Open Cloud Innovations event. They discussed the modern app security threat landscape and how developers can conveniently stay in front of any threats. (* Disclosure below.)

Easing developer frustration

Snyk’s developer security platform funnels directly into development tools, workflows and automation pipelines, making it easy to spot vulnerabilities and security threats ahead of time, according to Tal, whose job is squarely focused on helping developers take full advantage of the platform’s wealth of security and DevOps features.

“What we needed to do is basically put those developer security tools, which is what Snyk is building, this whole security platform” into the developers’ hands at the scale and speed required, Tal added. “So, for example, instead of just finding security issues in open-source dependencies … you can actually open a pull request to your source codes version and management systems,” Tal explained.

Another part of Snyk’s rapid response approach to detecting code vulnerabilities is embedding extensions within integrated development environments. In doing so, security issues and probable points of failure are detected the moment work is saved. This represents a sharp contrast to other application security testing tools that run in the background and give summarized reports after a set time duration. Snyk’s approach is especially more valuable given the fact that developers today work with faster timelines than ever before and need to deploy quickly and constantly.

In the end, the platform makes it such that developers don’t have to be security experts. By showing them the detected vulnerabilities and providing the tools and knowledge to fix those issues, Snyk is actively making developers more efficient, Tal pointed out.

In other aspects of bridging the security knowledge gap for developers, there are also knowledge resources made available to safeguard setups like complex databases from known vulnerabilities.

As a  highlight, there’s a myriad of references that provide users with things like the pull requests, fix dates, or the issue with where the vulnerability was discussed,” Tal said. “Having all this information at hand allows for better context as to what made the vulnerability happen.”

Bringing developers and security experts into a team

The software development and security functions of an organization aren’t rendered completely separate from each other anymore. Consequently, organizations must work toward “creating a more cohesive environment for both these kinds of expertise to synergize toward mitigating security issues,” according to Tal.

Snyk has partnered with Amazon Web Services Inc. for years now. Thus, there is a wide range of integrations within the platform, from the source code editor to code commits and container registries.

So at the end of the day, Snyk is there to help users out and make sure that if we find any potential issues, anything from licenses to container vulnerabilities or just open-source code, it’s mitigated at the source,” Tal said.

The recent Log4Shell vulnerability was found in the Java library called Log4J. Using its ecosystem of teams manually finding these recorded events and an autonomous intelligence platform, Snyk is made aware of such vulnerabilities through notifications on the Chatter API.

And at that point, before it goes to CVE requirement and things like that … we find vulnerabilities really fast and can add them to the database,” Tal said.

As part of Snyk’s recent commitment to improve the experiences of 28 million developers worldwide, the company has leaned heavily into the power of community and shared experiences. One example is its developer website, which is a community of security and coding professionals trying to learn from each other. Another is the company’s new slew of developer events, one of which is titled “The Big Fix” and slated to launch Feb. 25.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s pre-event coverage of the AWS Startup Showcase: Open Cloud Innovations event. (* Disclosure: Snyk sponsored this segment of theCUBE. Neither Snyk nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU