We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
developer-first SAST
Application SecurityCloud Native SecurityProduct

Announcing developer-first SAST with Snyk Code

Ravi MairaOctober 21, 2020

Earlier today, Snyk announced our forthcoming product, Snyk Code, our new developer-first Static Application Security Testing (SAST) offering, expanding our cloud native application security platform.  

Snyk Code is powered by machine learning and other technologies from our recent acquisition of DeepCode.  Snyk Code is the latest addition to Snyk’s cloud native application security platform.  With this offering, Snyk’s platform provides security for all the components of the modern cloud native application—the application’s code, the open source libraries it leverages, the container it runs in, and the infrastructure as code that provisions it. 

What is SAST?

Many developers may not be familiar with SAST. SAST, which stands for Static Application Security Testing, is used to test an application’s code and identify vulnerabilities that it may contain, and that could be exploited to attack the software. It tests the application by scanning the code, typically the source code, without executing it, and reports back any vulnerabilities it finds.

SAST re-imagined for the modern development team

Snyk has always been dedicated to the premise that security needs to be implemented developer-first in order to meet the speed and scale needs of software-driven businesses.  For a while now, our customers have been asking us to provide a SAST solution that incorporates the developer-friendly experience that we provide in our Open Source, Container and Infrastructure as Code products.  

Unlike traditional SAST products in the market, which were primarily designed for security teams to test applications post-development, Snyk Code uses a revolutionary approach designed to be developer-first.  The problem with traditional SAST products is that they do not work for developers: they are too slow, with scans that can take several hours; they have poor accuracy, returning too many false positives, creating hours of wasted time as false alarms are chased down. This erodes developer trust in the tool and they require security expertise to make their output actionable in order to remediate the issues they find.  

As with the other products in Snyk’s cloud native application security platform, Snyk Code re-imagines SAST as a solution developers would want to use to build secure applications.  

  • Dev-friendly – It’s in our DNA to provide a dev-friendly experience, enabling developers to build software securely rather than try to go back and fix problems long after the code has been compiled. Snyk Code is truly developer-centric, working in the IDEs and SCMs developers use to build and review software, and providing results that are meaningful and actionable for developers to enable fixing issues.
  • Real-time – Speed is a critical differentiator to support rapid, agile development. Real-time speed allows the SAST solution to be leveraged while developers are working in the IDE, as well as during code review in the SCM, rather than a slow and unnecessary extra step.  Thanks to the technology incorporated from DeepCode, Snyk Code scans 10-50x faster than other SAST products, enabling developers to use it while they develop, rather than after they develop as a slow and disruptive step in their process.
  • Unparalleled accuracy – One of the most common things we hear from customers using other tools is the huge amount of false positives. Given our focus on developers, we want to provide actionable findings that matter. The semantic analysis engine added via DeepCode, trained on Snyk’s Vulnerability Database, reduces false positives to near-zero.

Why developer-first SAST matters

Bringing a frictionless dev-first approach to SAST, and providing this as a part of Snyk’s overall cloud native application security platform, provides several benefits for fast-paced development and security teams.

  • Improved developer productivity – Real-time testing integrated into developer workflows enables issues to be resolved quickly during normal development workflow.  This is when it is the easiest and least disruptive to solve problems.  
  • Reduced risk/improved security posture – Implementing SAST developer-first, and with unparalleled accuracy, results in more secure code being released on time, as fewer issues reach later stages of development. When security tests are run later in the process it can lead to ‘risk-vs-reward’ decisions, as the benefits of releasing innovations are weighed against the increased risk of deploying vulnerable applications.  
  • DevSecOps – Modern development teams utilize DevOps to increase the overall speed and quality of software, but if security is left behind—in what looks more like an audit/gate step in the process—these benefits can not be fully realized.  Embedding security into the process helps realize the innovation promise of DevOps.
  • Efficiency from a single platform – Leveraging different tools for different components of the cloud native application—one for code, another for open source, yet another for containers, Kubernetes and Terraform security, etc adds time and complexity—especially for developers who are typically not security experts to begin with.  Leveraging one tool to build all these elements of the modern application securely enables developers to develop fast and stay secure!

Widespread developer adoption has long been elusive to traditional SAST tools and Snyk Code finally offers the key to developers being able to easily, quickly, and accurately address code security issues and effectively support the combined development and security mandate to rapidly deploy secure applications.

Read more about SAST vs SCA and how to leverage them to release secure software.


Want to stay up to date with all the latest developments and news? Sign up for our newsletter!

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom