Skip to main content

Interview with an engineer: Diving into modern SAST

Written by:
Snyk Team

Snyk Team

wordpress-sync/feature-saar-kuriel

May 18, 2022

0 mins read

We sat down with Saar Kuriel, a Senior Software Engineer, based in Tel Aviv, to learn more about the exciting projects he’s working on as part of the Snyk Code team.__We also discussed his career path, project management techniques, technical challenges he’s overcome, and his future goals.

wordpress-sync/blog-sdr-engineer-interview-saar

Jess Katz (JK): Hi Saar! I’m very excited to learn about your experience in engineering and the new project you began working on recently. Before we get started, can you tell me a bit about yourself and how you got to Snyk?

Saar Kuriel (SK):Sure! Prior to joining Snyk, I worked at Wix for 3 years. I started as a frontend engineer, and became an engineering manager for a team of 6 developers two years later. After working in this management role for a year, I decided to change the product area and career path I was pursuing. I wanted to focus on the technical side of engineering while still making an impact on the organization — preferably on a disrupting, innovating B2B product. I’m passionate about cybersecurity and knew Snyk’s products have a reputation for quality, so I I decided to pursue a position. I currently work on Snyk Code, our revolutionary, developer-centric SAST tool.

JK: What has the transition from being an Engineering Manager to an Individual Contributor (IC) here at Snyk been like for you?

SK:I’ve contemplated this a lot along my career. I know how to lead and grow others, and have always felt that I wanted to influence decision-making. But I also like my profession and I don’t want to lose my technical skills and daily coding work. The feedback I got from managers over my career is that I have good leadership skills and should take the management path, so I did. However, during that time I often felt like I wasn’t prioritizing my work correctly. When I would continue coding, I felt like I wasn’t doing enough for the team. But when I didn’t code at all, I wasn’t happy with myself. This helped me realize that I needed to find a different path, and I chose IC.

My goal in my current role is to be technically proficient in and responsible for my group’s systems, promote engineering needs from the organization, improve and grow our product, and allow myself to take risks while knowing how to mitigate failure. I also want to mentor other team members so they can be comfortable expressing their opinions and feel they have an impact on the group. In order to achieve these goals, my engineering manager and I set some objectives and key results (OKR’s), such as mentoring a new joiner to our team, helping to improve the team’s system SLIs, and meeting with people that share my goals to learn from each other. My manager pointed me to the right people, helped me define I want from myself, and set milestones for my larger goals, Which we revisit every week in our 1:1.

JK: What’s one of the most challenging projects you are working on right now?

SK:I'm currently working on refactoring one the core components of Snyk Code, our advanced static application security testing (SAST) tool Since I’m working on an existing component, I need to think like the person who initially wrote the code and work to mitigate potential future issues. You always learn when you read other people’s code.

This component is crucial because it handles communication with all types of SCMs (source code management) and processes the repositories for analysis before they reach the AI rule engine.One of Snyk Code’s killer features is its speed of analysis and I don’t intend to be the one who changes that. You can imagine the level of responsibility I feel working on this project, the challenge I’m facing, and the amount of trust I've received.

We sat down with our team’s architect and fellow engineers to sketch the new APIs and design our roadmap. During this, we discussed the pros and cons of each approach, what risks might arise, and how to mitigate them. We also analyzed why things are currently done the way they are, so we don’t lose context or current features.

We also considered different technologies we could use and decided to experiment. We decided to use Go as the programming language for its simplicity and inherent ability to parallelize. Prior to this, I had no experience with Go whatsoever, so that’s been a fun challenge.

JK: What are some of the challenges you’ve encountered so far?

SK:This is going to be a technical answer.One of the challenges we encountered is how we can best cache source code cloned from the SCM to reduce our interactions with the SCM and speed up our total analysis time. The solution must also work in an on-premise environment — which might not have internet access — and be able to scale on demand, since code security is one of the top priorities for our shared cloud infrastructure.

After some investigation, we decided to use shallow cloning with a specific commit SHA (secure hash algorithm), storing it in MongoDBs and using GridFS to easily interact with large source code files and while maintaining flexibility in the content we’re storing. Before reaching this decision, we examined Redis, but its value size limitation and cache eviction didn’t fit our needs. We also examined EFS, but it would have been hard to deploy and scale in our on-prem solution.

Our team, and Snyk overall, prioritizes the balance between innovation, agility, and quality, to produce scalable, reliable software. For example, we recently transformed a functionality within this codebase to make it a separate service. It already does its own thing, completely separate from the rest of the APIs. So why not decouple it and make this project’s code base more agile?

JK: What excites you most about this project?

SK:Many things! First, I have full support from my managers to experiment, discuss, and make sure we do this right. There is no deadline pressure, which allows me to focus and think clearly. I’m also exactly where I want to be career-wise, and am tackling things in domains I've never worked in before. I'm contributing to an effort that's revolutionizing our product. And I get to experience all of this with the guidance and help of my amazing team!

Being able to work on a project like this so early in my tenure at Snyk really helped me understand that my managers trust me and see that I have a strong passion to contribute. It’s really important that you and your manager are aligned right from the start, especially as an engineer. Taking on this project allowed me to express my opinion, experiment, and also learn a new programming language which is awesome.

Being able to learn a new language doesn’t happen every day. While some engineers might find it exhausting, others, like me, really love it. Our world is constantly evolving, new technologies and challenges arise every day and it’s important to keep our skills up-to-date and as broad as possible so we know the best tool for every situation. Plus, learning while crafting something valuable — instead of just writing an example app — is really exciting.

JK: How would you describe the overall engineering culture at Snyk?

SK:The best thing about Snyk, and the engineering culture in particular, is the level of transparency we have here. We have visibility to almost everything that’s going on in the company, so it’s easy to get involved in different projects and understand what’s going on in different departments. Snyk is transitioning from being a small startup to a large scale company, and because of that the engineering culture is currently being built. This makes it even more appealing, since you’re able to contribute to this effort and really make a difference. You get to leave your stamp and learn a lot from others.

Interested in building a career at Snyk? Check out our open roles and learn more about what life at Snyk is like.

wordpress-sync/feature-saar-kuriel

The importance of DevSecOps: 6 benefits of the DevSecOps model

Transitioning from DevOps to DevSecOps is not as simple as handing an already busy DevOps team a set of security KPIs. Read this whitepaper for the keys to fostering a collaborative, shared culture of rapid iteration.