Announcing developer-first SAST with Snyk Code

Earlier today, Snyk announced our forthcoming product, Snyk Code, our new developer-first Static Application Security Testing (SAST) offering, expanding our cloud native application security platform. 

Snyk Code is powered by machine learning and other technologies from our recent acquisition of DeepCode.  Snyk Code is the latest addition to Snyk’s cloud native application security platform.  With this offering, Snyk’s platform provides security for all the components of the modern cloud native application—the application’s code, the open source libraries it leverages, the container it runs in, and the infrastructure as code that provisions it.

What is SAST?

Many developers may not be familiar with SAST. SAST, which stands for Static Application Security Testing, is used to test an application’s code and identify vulnerabilities that it may contain, and that could be exploited to attack the software.  It tests the application by scanning the code, typically the source code, without executing it, and reports back any vulnerabilities it finds.

Snyk has always been dedicated to the premise that security needs to be implemented developer-first in order to meet the speed and scale needs of software-driven businesses.  For a while now, our customers have been asking us to provide a SAST solution that incorporates the developer-friendly experience that we provide in our Open Source, Container and Infrastructure as Code products. 

Unlike traditional SAST products in the market, which were primarily designed for security teams to test applications post-development, Snyk Code uses a revolutionary approach designed to be developer-first.  The problem with traditional SAST products is that they do not work for developers: they are too slow, with scans that can take several hours; they have poor accuracy, returning too many false positives, creating hours of wasted time as false alarms are chased down. This erodes developer trust in the tool and they require security expertise to make their output actionable in order to remediate the issues they find. 

As with the other products in Snyk’s cloud native application security platform, Snyk Code re-imagines SAST as a solution developers would want to use to build secure applications. 

• Dev-friendly - It’s in our DNA to provide a dev-friendly experience, enabling developers to build software securely rather than try to go back and fix problems long after the code has been compiled. Snyk Code is truly developer-centric, working in the IDEs and SCMs developers use to build and review software, and providing results that are meaningful and actionable for developers to enable fixing issues.

• Real-time- Speed is a critical differentiator to support rapid, agile development. Real-time speed allows the SAST solution to be leveraged while developers are working in the IDE, as well as during code review in the SCM, rather than a slow and unnecessary extra step.  Thanks to the technology incorporated from DeepCode, Snyk Code scans 10-50x faster than other SAST products, enabling developers to use it while they develop, rather than after they develop as a slow and disruptive step in their process.

• Unparalleled accuracy - One of the most common things we hear from customers using other tools is the huge amount of false positives. Given our focus on developers, we want to provide actionable findings that matter. The semantic analysis engine added via DeepCode, trained on Snyk’s Vulnerability Database, reduces false positives to near-zero.

Why developer-first SAST matters

Bringing a frictionless dev-first approach to SAST, and providing this as a part of Snyk’s overall cloud native application security platform, provides several benefits for fast-paced development and security teams.

• Improved developer productivity - Real-time testing integrated into developer workflows enables issues to be resolved quickly during normal development workflow.  This is when it is the easiest and least disruptive to solve problems. 

• Reduced risk/improved security posture - Implementing SAST developer-first, and with unparalleled accuracy, results in more secure code being released on time, as fewer issues reach later stages of development. When security tests are run later in the process it can lead to ‘risk-vs-reward’ decisions, as the benefits of releasing innovations are weighed against the increased risk of deploying vulnerable applications. 

• DevSecOps - Modern development teams utilize DevOps to increase the overall speed and quality of software, but if security is left behind—in what looks more like an audit/gate step in the process—these benefits can not be fully realized.  Embedding security into the process helps realize the innovation promise of DevOps.

• Efficiency from a single platform - Leveraging different tools for different components of the cloud native application—one for code, another for open source, yet another for containers, Kubernetes and Terraform security, etc adds time and complexity—especially for developers who are typically not security experts to begin with.  Leveraging one tool to build all these elements of the modern application securely enables developers to develop fast and stay secure!

Widespread developer adoption has long been elusive to traditional SAST tools and Snyk Code finally offers the key to developers being able to easily, quickly, and accurately address code security issues and effectively support the combined development and security mandate to rapidly deploy secure applications.

Read more about SAST vs SCA and how to leverage them to release secure software.