From open-source to proprietary code, Snyk helps secure development environments
When most people think of software development, they visualize an engineer or coder creating every element, functionality and behavior in the software by themselves.
Nowadays, with the advent of open-source libraries and code, this preconception couldn’t be further from the truth. An overwhelming majority of the available proprietary applications today are largely comprised of open-source packages, libraries and code — and as convenient as this fact has been for devs and designers, it has raised a whole host of security concerns.
“They are code somebody else wrote that you don’t have a direct relationship with. And yet … whatever vulnerabilities may be in their code, you own that risk” said Ravi Maira (pictured), head of product and partner marketing at Snyk Ltd. “So what Snyk is trying to do is enable developers to leverage open source, but do that securely. And then we also help them with the 10% that they write as well, and do that all in one really easy environment for a developer that fits into their workflow and into their daily life.”
Maira spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the AWS Startup Showcase: Open Cloud Innovations event. They discussed the novel ways through which Snyk helps organizations keep their fast-paced development environments tight-knit. (* Disclosure below.)
Developer security in detail
Open-source code isn’t always problematic. Snyk’s approach, however, is making sure that in the rare event that there’s a vulnerability or security issue, it can be found and resolved expediently. In addition, the company’s approach is leveraging a resource that’s in immense abundance worldwide — software developers.
“Snyk’s belief is the way you change things is by having the developers be part of your security solution, which means they need to have the ability to not only develop, but to develop securely,” Maira explained.
Software development professionals far outstrip the available number of cybersecurity talent, according to Maira. Therefore, finding a confluence point between coding and security could significantly impact the latter’s effectiveness.
Snyk’s ethos on developer security is building tools, ensconced within a platform, that gives devs the ability to take center stage in the security pipeline and enable the security teams to fix issues — either immediately or preemptively. When developers “own that first step of security,” it then solves the problem of scale, according to Maira.
At its very core, Snyk’s platform is a developer tool, and with devs as the platform’s primary user base, the company has been able to layer on security as an inalienable part of the package, according to Maira.
“For example, alongside the open-source code that we’re scanning for you and testing to find vulnerabilities, we’re also looking at the vulnerabilities in your code and where they may overlap or intersect,” he said. “We can adjust priorities so that you might not need to fix something.”
Thus, if an open-source package has a vulnerability, but the package itself won’t ever be accessed by the code being worked on, the platform can automatically default to leave it be.
The core difference between developer security tools and “typical security tools” is that the latter typically focuses on audits (stating the problem in detail) while dev security tools focus on fixing the issues by proffering viable solutions. In that same regard, a developer security tool gives its user the power to decide and prioritize the order with which they should handle the existing security issues and vulnerabilities, Maira explained.
The tension between developers and security teams is simply a misconception and, at best, happens at an organizational level where both of their aims are often thought to be diametrically opposed, according to Maira.
“Security is responsible for risk, and developers responsible for speed of innovation,” he said. “And the faster you innovate, potentially there’s more risk. There might be some organizational tension, but at the human level, people understand each other. They understand the pressures that the other one’s going through.”
How Snyk leverages AWS
Snyk, and its value-added solutions as a developer security platform, is tightly integrated into the Amazon Web Services Inc. ecosystem. First and most prominently is its native integration with AWS CodePipeline, according to Maira.
“This makes it easy for developers as they’re finishing their builds and deploying to have an automatic security check that comes in, understands if there are things that need to be fixed before this really should be released, and then they can fix it and go forward,” he said.
In addition, Snyk also covers a wider spectrum, using its application programming interface, spanning across other services like Amazon Elastic Container Service for Kubernetes, or EKS, and CodeBuild. In essence, wherever developers choose to work, there exists a viable way to key into their AWS development process.
Given its strong AWS relationship, Snyk’s enterprise customers rely on the platform because it makes their developers’ work easier by keeping them focused on solutions (rather than problems), according to Maira.
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: Open Cloud Innovations event. (* Disclosure: Snyk sponsored this segment of theCUBE. Neither Snyk nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Photo: SiliconANGLE
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU