Scaling security with DevSecOps at a Forbes Cloud 100 company

Snyk has been named to the Forbes 2020 Cloud 100, the definitive ranking of the top 100 private cloud companies in the world, published by Forbes in partnership with Bessemer Venture Partners and Salesforce Ventures!

We are honored to be included in this selective group of global companies transforming the industry with their modern approach to software development, software delivery and securing their cloud-based and digital environments.

“The growing demand for secure digital transformation highlights the need for a modern approach to cloud-native application security. We are proud of this recognition that our mission to deliver developer-first security is setting a new standard of leadership in the public cloud computing market.” said Peter McKay, CEO of Snyk.

So what do all of these market leading organizations named to this list have in common?

From our view of this incredibly dynamic and agile market — it’s a modern approach to the way they build, deploy, secure and support cloud based services and their global customers.

For us, a modern approach to cloud native application security goes hand in hand with a modern DevOps oriented organization — one that prioritizes speed, automation, and collaboration. And for those cloud-based companies that are building and delivering software, it’s even more critical to have security integrated into the software development from the beginning.

Rethinking security for cloud companies

More and more companies are using technology and software to differentiate themselves and stay competitive in their respective industries. Because of this, the pace of development is more rapid than ever before.

The cloud gives organizations the ability to turn hardware and slow-moving apps with massive once per year updates, into on-demand software, adding new capabilities to their businesses, all while scaling to meet customer demand. Traditional security processes can’t and won’t support this fast-pace of innovation because security gates placed at different stages of the delivery pipeline either slow down development—or get ignored.

Learn more about how the cloud is transforming IT security into AppSec in this blog post.

Developer-first security & DevSecOps

DevSecOps is an approach that includes people, processes and tools that embed security early—it enables self-sufficient teams, and accelerates business instead of slowing it down. In other words, it’s developer-led, with security experts as a partner that empowers this change.Developer-first security means security design, security testing, security backlogs, and remediation is part of the everyday workflow for developers, enabling development teams to be more self-sufficient and secure applications as they build them, to ultimately accelerate the pace of development. 

Moving to this type of shift-left security model requires a couple of key components worth noting for success:

• Security mentorship.Adapting from implementor to mentor is not easy, and security experts will be needed to guide and educate as responsibilities move to development teams. If security teams can commit to distributing their knowledge and empowering developers, there will be more success in securing applications as a shared initiative.

• Having the right tools.What you teach while mentoring needs to be mirrored in the tools developers use every day. Successful developer-first security models require security solutions that see the developer as the most important user. There’s a persistent myth out there that developers don’t care about security; we don’t believe that’s true and it’s not what we see in our most successful customers. What we do see, however, is the tension between developers needing to move ever faster, versus a slew of new, fast-moving security responsibilities being added to their plate. So while most developers do, in fact, care about security, legacy tools that present long lists of security violations are not helpful. Instead, solutions for the new DevSecOps era look like developer tools—because they are developer tools! This means security details are still available for those who want them, but first and foremost is the information required to fix the issue, integrated into development workflows in a frictionless and native way, which goes a long way in driving developer adoption.

For more tips on implementing or improving upon your organization's DevSecOps program, read Gartner’s recommendations. Whether DevSecOps is brand new to your org, or if you’ve been practicing this approach for years, we’d love to chat.

Ready to Start?