2020 Q3 in review—Snyk & DeepCode, Angular security best practices, and more

We’re up to July, August, and September now in our blog series that looks back at our year of posts and picks out some of the highlights from each quarter. Previously we wrote about the first and second quarters that looked back at a round of funding for Snyk, as well as the JVM ecosystem and the State of Open Source Security reports. In the third quarter, we look at some of the key pieces of news that really shaped our quarter, including another round of funding, a significant malicious library announcement, and an acquisition. Wow, what a quarter!

SEE ALSO: 2020 Q1 in review — JVM ecosystem report, DevSecOps insights, and more

August 2020: SourMint: malicious code, ad fraud, and data leak in iOS

In August, Alyssa Miller wrote a blog post that announced the research which the Snyk security research had worked on tirelessly to uncover malicious behavior from the mobile advertising platform company Mintegral, based in China. This research was led by Danny Grander and Kirill Efimov, and showed that the malicious code can spy on user activity by logging URL-based requests made through the app. In addition to this SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application. Below is a demonstration of this malicious code in action:

At the time of writing this post, the team only found malicious code in the iOS version of the Mintegral SDK, however, later it was discovered that there was also malicious code in the Android distribution as well which led to further data leaks. It was also discovered that the iOS distribution also included a remote code execution which was detailed in a blog post written by Danny and Alyssa. This remote code execution was again demonstrated by the team in a video you can see below:

SEE ALSO: 2020 Q2 in review—State of Open Source Security report, DevSecOps Hub, and more

September 2020: Snyk Closes $200M to Modernize Security Industry

In September, Snyk CEO Peter McKay announced the closing of our latest funding round, an investment of $200 million. There were a couple of important things to note from this recent round. Firstly, wow, that’s a lot of money and it really gives us the flexibility and opportunity to accelerate our developer first and cloud native application security visions. Secondly, it’s a testament to all the hard work of everyone at Snyk that during the most challenging and unexpected years in all of our lifetimes, we were able to grow revenue by 275%, increased our headcount by 100%, and achieved a valuation of more than $2.6 billion. I find these numbers simply breathtaking. Almost three years ago when I joined Snyk I remember thinking that the company had a very strong potential, but I didn’t think it would grow so fast, mature so quickly and turn into the market leader we see today. I now look at Snyk and the potential it has today, and it’s hard to put into words the drive, mindset, and vision the team has. By the way, we’re hiring and you should definitely consider joining the Snyk family to be a part of our journey!

September 2020: Accelerating our developer-first vision with DeepCode

Also in September, Peter McKay announced an agreement to acquire DeepCode—an ETH Zurich spin-off founded by leading researchers in machine learning and programming languages. At the time of the announcement, we explained how DeepCode’s AI engine will help Snyk both increase speed and ensure a new level of accuracy in finding and fixing vulnerabilities, while constantly learning from the Snyk vulnerability database to become smarter. There was another gem to this story, which wasn’t announced till our inaugural SnykCon conference in October, which was a new SAST product announcement, but hey, you need to wait until the next post where we cover our October, November, and December blog posts to hear about that—NO SPOILERS!

Before the acquisition, DeepCode focused more heavily on code quality scanning, which ultimately uses a code scanning engine with QA rules. Importantly, the technology scans code 10-50x faster than alternatives, which enables real-time workflows within the development process. This is a huge improvement and a step forward, as in our first post of this series, we saw that one in two developers (48%) see security as a major constraint on the ability to deliver software quickly. Anything that speeds this up and integrates security seamlessly into the development workflow and pipeline is a big step forward.

Again there were many posts we could have picked from and we wanted to include more; however, we didn’t want this blog post to turn into a report, so here are some honorable mentions that we didn’t want to leave out! Brian Vermeer did a great job creating Snyk security badges for maintainers to proudly add to their repositories or websites to show their community they care about security and are working hard to minimize security risk. There was also a new ESG report that was released that did a great job in highlighting many of the security issues that Snyk is determined to address, including developer adoption and issue mitigation. A key issue among larger organizations that have very large lists of vulnerabilities is how they prioritize them to make sure they’re working on the most important threats first to mitigate their risk as best as they can. Daniel Berman wrote a cracking cheat sheet on how you can prioritize your vulnerability list, which takes many factors into account, including severities, exploitability as well as the reachability of the vulnerable code. Finally, but by no means least, one of our most popular cheat sheets around Angular security best practices was released by Liran Tal, covering six security best practices for when creating angular applications.

Thanks for reading! Next time we’ll take a look at the posts we released in the fourth and final quarter of 2020!