How Snyk’s Approach to Application Security Addresses Left Shift’s Shortcomings
Software developers rarely have it easy. From writing, editing, and releasing code to resolving bugs and security issues that surface throughout production, most organizations’ expectations of their development are immense.
The “shift-left” approach was designed to eradicate security issues at the earliest stage of development, but in some ways it adds to the degree of complexity faced by developers.
“The landscape is changing, both for developers and for security; it’s just not what it used to be,” said Liran Tal (pictured), Director of Developer Advocacy at Synk Ltd., a All-in-one developer-focused platform for securing code, dependencies, containers, and infrastructure-as-code. “AAnd what we’re seeing is that developers need to be empowered. They need help, just work on all these security issues, security incidents occur, using open-source and cloud-native applications.
The arena of modern development is changing, and so some basic practices don’t apply as well as they once did. Proactivity is an element that is missing in the traditional left-shift process and is desperately needed in the current landscape, according to Tal.
Tal spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s live streaming studio, ahead of the upcoming Introducing AWS Startups: Open Cloud Innovations an event. They discussed the modern application security threat landscape and how developers can easily stay ahead of all threats. (*Disclosure below.)
Alleviate developer frustration
Snyk’s Developer Security Platform integrates directly into developer tools, workflows and automation pipelines, making it easy to detect vulnerabilities and security threats in advance, according to Tal. , whose job it is to help developers take full advantage of the platform’s wealth of security and DevOps features.
“What we had to do was basically put these security tools for developers, that’s what Snyk is building, this whole security platform” in the hands of developers at the scale and speed required, Tal added. “So, for example, Iin place to just find security issues in open-source dependencies… you can actually open a pull request to the version of your source codes and your management systems,” explained Tal.
Another part of Snyk’s rapid response approach to finding code vulnerabilities is integrating extensions into integrated development environments. By doing so, safety issues and likely points of failure are detected at the time the job is logged. This is in stark contrast to other application security testing tools that run in the background and provide summary reports after a set amount of time. Snyk’s approach is especially valuable considering that developers today are working with faster deadlines than ever before and need to deploy quickly and constantly.
Ultimately, the platform makes sure developers don’t have to be security experts. By showing them detected vulnerabilities and providing the tools and knowledge to fix those issues, Snyk is actively making developers more efficient, Tal pointed out.
In other aspects of reducing the security knowledge gap for developers, knowledge resources are also made available to protect configurations such as complex databases against known vulnerabilities.
“As a highlight, there are a myriad of references that provide users with things like pull requests, fix the dates, or the issue with which the vulnerability was discussed. Having all of this information at your fingertips provides better context for wThat’s what created the vulnerability,” Tal said.
Bring developers and security experts together in one team
An organization’s software development and security functions are no longer completely separate from each other. Therefore, organizations should strive to “create a more cohesive environment for these two types of expertise to create synergy to mitigate security issues,” according to Tal.
Snyk has been a partner of Amazon Web Services Inc. for years. Thus, there is a wide range of integrations within the platform, from source code editor to code commits and container registries.
“So at the end of the day, Snyk is here to help users and make sure that if we find any potential problems, whatever licenses container vulnerabilities or simply open-source code, it is mitigated at source,” Tal explained.
The recent Log4Shell vulnerability was found in the Java library called Log4J. Through its ecosystem of teams manually finding these recorded events and an autonomous intelligence platform, Snyk is informed of these vulnerabilities through notifications on the Chatter API.
“And at this point, before moving on to the CVE requirement and things like that… we find vulnerabilities very quickly and can add them to the database. In short, this is what we did with Log4Shell,” Tal said.
As part of Snyk’s recent commitment to reach and improve the experiences of 28 million developers worldwide, the company has relied heavily on the power of community and shared experiences. One example is its developer website, which is a community of security and coding professionals trying to learn from each other. Another is the company’s new series of developer events, one of which is titled “The Big Fix” and is set to launch on February 25.
Watch the full video interview below and be sure to check out more of SiliconANGLE and theCUBE’s coverage on the Introducing AWS Startups: Open Cloud Innovations an event. (*Disclosure: Snyk Ltd. sponsored this segment of theCUBE. Neither Snyk nor other sponsors have editorial control over the content of theCUBE or SiliconANGLE.)