2020 Q1 in review—JVM ecosystem report, DevSecOps insights, and more

Welcome to the first of four posts in which we take a look back at all the highlights we have shared across the Snyk blog across 2020. Each of the four blog posts will pick three top highlights for each quarter of 2020, as well any honorable mentions we add along the way. Picking just three is hard, right? 2020 has been tough enough for us all, without adding unnecessary rules! So, sit back, grab a cold/hot brew, and let’s reminisce over the good times.

January 2020: Snyk closes $150M to accelerate developer-first security

In January, shortly after our company all-hands in Tel Aviv (pictured below), Peter McKay, Snyk CEO announced we had closed $150 million in funding to accelerate our vision to bring a new approach to application security.

This new approach adopts a wider view of what a modern cloud native application consists of. While this used to just be custom application code and third-party libraries that are then deployed onto a platform, today’s modern approach sees developers maintaining their application code, and container images, and infrastructure as code configurations. This broader view of what an application looks like, requires a complete platform of tooling that developers can use to support their security needs. I remember being so excited to hear how we will be accelerating this vision, and today, I’m proud to be part of the reality!

January 2020: DevSecOps Insights 2020

In the same month, Liran Tal, Director of Developer Advocacy at Snyk, released a study of the state of DevSecOps. In this study, Liran shares a number of insights from the Puppet 2019 State of DevOps report. There were two takeaways in particular that I found interesting from the report that I’d like to call out. The first statistic that I was kind of expecting was that one in three developers (31%) did not track their direct dependencies. We’ll never get, as an industry, to the stage where everyone does this, so it’s not too shocking. However, when we add this to the 38% of developers that only track direct dependencies, the vast majority of developers are not testing most of their dependency graphs. This is pretty scary. Ok, it’s 2020, so not that scary, but it’s not ideal.

The second statistic that I want to highlight is as sad as it is frustrating. One in two developers (48%) see security as a major constraint on the ability to deliver software quickly. What does this mean? How can security still be such a blocker? Well, the traditional form of security testing, such as audits or periodic long-running tests that are followed with lengthy reports are typical of the unnecessary hold-ups we used to experience. In today’s brave new world, with tooling that integrates into existing developer tools and DevOps pipelines, security testing should be considered and dealt with as if they were functional QA issues. Testing as you code, when you submit PRs, during CI pipelines, etc is very common, and fast. If you’re one of the 48% of developers that want to develop securely without slowing down your delivery pipeline, why not try Snyk for free and join the 52% of happy developers!

February 2020: JVM Ecosystem Report 2020

In February, we released our annual JVM ecosystem report, which showed a number of insights into how the Java space has been changing recently. The report, which is based on data from over 2,000 survey respondents, showed that 36% of developers have switched from using the Oracle JDK to an alternate OpenJDK distribution, over the previous year. This is significant as it’s likely a reaction to the licensing changes which Oracle made around their Oracle JDK. With other distributions being made available by communities like Adopt OpenJDK, and companies like Amazon with their Coretto distribution.

Which Java vendor's JDK do you currently use in production for your main application?

A disappointing but sadly predictable 64% of developers reported that Java 8 remained their most often used JDK version. To be fair, it’s a great version of Java and delivered many of Java’s best recent features, including Streams and Lambdas to name two of the most popular. However, while we all love a stable release that’s heavy on useful features, it’s also important that we keep up with the latest LTS versions at least.

A pleasant surprise is to see the continued success of Kotlin. The survey results show the JetBrains developed JVM language has overtaken Scala and Clojure, to become the 2nd most popular language on the JVM.

There were a few other posts that didn’t quite make the list but deserves an honorable mention, including the Ghostcat breach which affected all Tomcat versions at the time of publication, a security breach that leaked the personal data of all 6.5 million Israeli voters, and a couple of great cheat sheets about Django and Angular.

Thanks for reading! Next time we’ll take a look at the posts we released in the second quarter of 2020.