Skip to main content

Joining forces with FossID to extend developer-first security to C/C++ applications

Written by:
wordpress-sync/blog-banner-fossid-joins-snyk

May 12, 2021

0 mins read

I’m excited to announce the acquisition of FossID, extending Snyk’s developer-first security capabilities with deeper C/C++ support and enhanced license compliance!

Snyk’s vision has always been to empower developers to secure their applications, enabling the speed and scale required by technology-driven companies. Over 2M developers worldwide are building software securely with Snyk integrated throughout their development process, and security teams are leveraging the visibility, accuracy and control Snyk provides to successfully manage and mitigate risk. 

With the acquisition of FossID, Snyk will be accelerating this vision, bringing developer-first security to development teams using FossID’s open source compliance and security capabilities to enhance the C/C++ license compliance capabilities of Snyk Open Source to all environments. 

Modernizing C/C++ development

The ability to work directly with hardware has helped C and C++ remain prevalent in resource-constrained systems that require optimized efficiency and performance. Roughly 6.3M developers worldwide are using C/C++ to build applications today, including, financial and banking applications, embedded/IoT, gaming, databases, and legacy enterprise applications.

Just like any language, both C and C++ have evolved since their inception. Digital transformation and the shift in the way modern software is built have all highlighted the need for better build processes and development tools that support reproducible, fast, and secure deployments.

It has been fascinating to see development teams using C/C++ modernize the way they build their applications by adopting DevOps and agile processes. Increasingly, projects like Clang, CMake and Conan are being leveraged to gain more control over build processes and package management. IDEs like Visual Studio, VScode, and JetBrains’ Rider are being used to deliver quality code more rapidly.

Empowering C/C++ developers to secure their code

But change is difficult, especially for programming languages with roots going back almost half a century. According to the 2020 C++ community survey, build times (42%), setting up continuous integration pipelines (32%), and library management (47%) are still major pain points. Security is also a major challenge, with over half of respondents in the survey expressing concern over inherent safety issues and security vulnerabilities.

DevOps, and more specifically DevSecOps, calls for automation and overall tighter integration of security into development workflows, but applying these principles to the world of C/C++ is not straightforward. C/C++ development teams are faced by codebases containing large amounts of legacy code. Unlike newer web languages, which typically declare which open source packages they use, most open source in C/C++ apps is consumed by directly embedding code and binaries into the app, without declaring it, making it hard to identify and manage open source use.

Aside from the security hurdles baked into C/C++, existing security solutions were not designed for developers and do not integrate well into development tools and processes. Additionally, slow scans and inaccurate results introduce friction and hamper developer adoption. Between technical debt, embedded open source, and tools that weren’t designed for developers, securely coding in C/C++ has never been easy.

But Snyk’s vision from the very start has been to enable developers to take more ownership for security by providing them with best of breed developer experience and security expertise. Integrating with FossID’s technology will enable us to extend our developer-first approach to C/C++ developers and support modernization efforts in this development ecosystem.

Simplifying license compliance management

C/C++ is the dominant language for embedded apps. Since these apps are physically shipped and harder to update, they are especially sensitive to open source license compliance, and often require deeper audits and highly accurate inventory tracking. Many organizations require the scrutiny to go beyond library use and into the code snippets developers may have pasted into the code, without being aware of license constraints.

As with security vulnerabilities, identifying and preventing such license issues early can lead to dramatic savings in person time and reduced legal risk. And as with security, such early detection isn't just a matter of running the test early, it requires empowering developers to do so themselves. FossID has built a powerful license compliance engine, able to inspect applications as deeply as a customer requires and with incredible speed and accuracy. Combining that with Snyk's developer-first approach will help customers achieve their high compliance bars while in a manner that scales and minimizes impact on development cycles.

Integrating FossID technology with Snyk

FossID is a Sweden-based company that was founded in 2016 by a talented team of entrepreneurs who shared a vision for building a technological solution that helps companies use open source with minimal legal and security risk.

FossID’s groundbreaking analysis and detection technology is being used today by hundreds of companies worldwide to use open source to build their applications in a safe and compliant manner. FossID capabilities include: 

  • The ability to identify vulnerabilities in all forms of open source software with support for undeclared source code, including code snippets.

  • A comprehensive knowledge base containing the equivalent of more than 2PB of machine harvested source code from all the world’s known open source repositories.

  • AI-powered analysis that automatically eliminates false-positives to help limit manual post-processing efforts.

Integrating FossID technology into Snyk’s platform will extend its software composition analysis capabilities to better support C/C++ teams and enhance license compliance. I’m looking forward to witnessing the integration of FossID’s technology into Snyk and believe it will empower additional development teams around the world to rise up to the challenge of securing their code!

FossID’ers — welcome to the family!

wordpress-sync/blog-banner-fossid-joins-snyk

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.