Applying risk management to DevOps practices with Snyk & Datadog

At SnykCon 2020, Datadog gave an informative talk about applying dynamic risk assessment to software development. More specifically, the company discussed how to use Snyk to measure and mitigate cybersecurity risks.

In this post, we’ll look at some common software risks, how to measure security risks, and how organizations can use Datadog and Snyk to automate risk management.

The types of software risks

There are numerous software risks in the domains of IT operations, development, and cybersecurity. These software-related risks, especially for customer-facing applications, can lead to a loss of revenue or consequences for the brand’s reputation.

In IT operations, the main risk is software downtime. Operations teams use things like disaster recovery strategies and strong service level agreements (SLAs) to ensure availability. For software development, there are several risks, such as failed feature releases, dropped sessions, and user interface (UI) bugs. Development teams often prioritize high test coverage and reducing technical debt to mitigate these risks.

Cybersecurity risks can be introduced by either operational or development teams (or both). The challenge is mitigating these security risks when they’re not as frequent or measurable compared to downtime, bugs, and other software-related risks.

“When it comes to cybersecurity, the impact to the business is more severe,” Andrew Krug, Technical Evangelist Security at Datadog, pointed out. “Since we’re not having security incidents every day, it becomes very hard to calculate the probability, so this is a great place to apply quantitative analysis.”

Measuring software security risks

Even though they may be less common, security risks can introduce serious consequences for the business. Identifying and measuring security risks is critical for mitigating negative outcomes. Achieving this requires creating a common language and framework for the entire business to use for scoring the impact of software security risks.

In classical risk management, there are two ways to measure risk: qualitative and quantitative. Quantitative risk assessment uses as much data as possible to reason about probability and consequences, while qualitative assessment relies on reasoning to rank the likelihood of an outcome. A combination of both approaches, however, can often lead to the most accurate risk assessment.

“Qualitative analysis becomes more and more powerful the more knowledge we apply to something,” Krug said, “and that can include quantitative and qualitative data.”

While many security incidents are caused by hacking or other malicious behavior, errors are actually the primary source of software risks. Errors continue to increase as software becomes more complex. Using quantitative data from code scanning tools is a powerful way to detect and remediate software errors or vulnerabilities to mitigate cybersecurity risk.

Using Datadog’s Snyk integration for risk management

DevSecOps can be thought of as a strategy for eliminating security vulnerabilities early in the development process. The security tools (like Snyk) used within DevSecOps processes can also collect an enormous amount of data that can be used for dynamic risk analysis.

“Your environment is already giving you risk signals. They’re already there, and you’re already clicking them, you just aren’t using them right yet,” said Daniel Maher, Developer Advocate at Datadog. “Our dynamic risk assessment approach is a way to leverage these existing risk metrics.”

Setting a risk budget—or an acceptable level of risk—is a data-based approach for quantifying the tradeoff between software quality and time-to-market. Business leaders can compare dynamic risk assessments against these risk budgets for each application to drive decision-making and produce better software products without introducing unnecessary risk. This can be done by taking the output from Snyk and other security tools, aggregating this data, and delivering this data to developers, DevOps teams, and other stakeholders.

Using Snyk, security teams can scan the software code itself and use the results to create a heatmap of dynamic risk. Security teams can also use qualitative information to further refine their dynamic risk assessments. For example, vulnerabilities within customer-facing software with sensitive data may have a higher risk score than an internal application with fewer users.

“We’re using these shift-left tools to add to our knowledge about the application itself,” explained Krug. “We can surface that data in dashboards and other tooling to get more eyes on where the relative risk of an application goes over time. That’s really powerful, because visibility is a driver for any security program or DevOps effort.”

With the Snyk integration, security teams can ingest security scanning data in Datadog to get real-time insights into production code. Datadog users can identify and remediate security vulnerabilities using the Continuous Profiler and view key insights related to security risks discovered in their applications. This gives organizations visibility into the dynamic risk of their applications within the same platform as their other monitoring and telemetry.

Want to learn more about reducing software risks with security scanning? Watch the full Datadog talk:Do you accept the risk? Dynamic risk metrics in your environment.