Webinar recap: Snyk and the new era of software security

Snyk’s Senior Product Marketing Manager, Frank Fischer, recently hosted a webinar about the value in using a developer security platform to secure code, dependencies, containers, and infrastructure as code (IaC).

During this talk, Fischer discussed the shift in software security that has occurred over the past decade, the need for developers to take part in the security process, and the value of Snyk in securing the entire development lifecycle.

In this blog post, we’ll highlight some of the key insights from the presentation.

A paradigm shift in software security

In the pre-cloud era, there was a very clear distinction between the operational and development sides of software. Developers would plug away with application code, adding in dependencies here and there, before tossing that code to the operations team responsible for software deployment and maintenance.

This inevitably lead to a rift between the two sides. Developers weren’t motivated to own the reliability of the product, and operations folks didn’t prioritize shipping quickly, preferring to focus on ensuring the integrity of the infrastructure.

Now, with the advent of cloud-first architectures and the widespread adoption of DevOps, businesses are uniting skills, processes, and tools from every part of engineering and IT — including cybersecurity. This means many of the software security issues that were previously handled by operations — such as unpatched operating systems, open ports, and incorrect infrastructure configuration — now fall under the purview of software development.

As a result, developers who may not have security experience are increasingly accepting responsibility for vulnerabilities. On the flip side, IT operations is taking on development tasks. All of this begs the question: Where exactly should cybersecurity be incorporated into the DevOps life cycle?

DevOps requires developer-first security

Rather than having a special step where security is introduced, we believe security should be integrated across every step of the DevOps cycle. This idea is called developer security operations, or DevSecOps. With DevSecOps, everyone is accountable for software vulnerabilities with the goal of preventing breaches and associated data loss.

There are two primary reasons why DevSecOps is important for software development. The first is that if you treat cybersecurity as a special step that falls at a specific point in the DevOps lifecycle, you’re reverting back to a waterfall approach that stops the flow and creates a bottleneck. Tickets are building up, code is waiting to be scanned, and problems are being triaged slowly. This is a lose-lose situation for everyone involved.

Another big reason to embrace DevSecOps is that there are more developers than security professionals in today’s labor market. According to Cyberseek, only 68 qualified workers are available for every 100 cybersecurity jobs, and more than 600,000 jobs open up for cybersecurity professionals every year in the U.S.

That’s why, at Snyk, we believe software security should start with the developer. However, this shouldn’t happen in a way that feels burdensome or gives developers a heavier workload. They should feel empowered to make changes that promote security and reduce vulnerabilities within their existing workflows and processes.

How Snyk supports a secure, intuitive development experience

Our cloud-native application security platform gives developers the ability to own and build security for the entire application, from code and open source to containers and cloud infrastructure. Snyk works like a developer tool, which means it integrates seamlessly into their existing tools, pipelines, and workflows across every stage of the software development lifecycle:

• Snyk Code allows you to find and fix vulnerabilities in your application code in real-time during the development process. This includes AI-powered semantic code analysis that surfaces security issues along with explanations and examples.

• Snyk Open Sourcehelps youautomatically identify, prioritize, and remedy vulnerabilities in your open source dependencies. This includes the ability to automate fixes with a one-click fix pull request populated with the required upgrades and patches.

• Snyk Containergives you the ability to quickly find and fix vulnerabilities in your containers and Kubernetes applications. For example, Reddit used Snyk Container to reduce vulnerabilities in their images by 94%.

• Snyk IaCenables you to find and fix Kubernetes, CloudFormation, and Terraform IaC problems as code is being written and as it’s run through your CI/CD pipelines. This lets you meet security team requirements in one go by detecting and fixing misconfiguration issues as early on as possible.

Industry-leading security intelligence for all

One “X factor” that separates our DevSecOps technology is our industry-leading security intelligence. We have a comprehensive security intelligence database that is maintained by a dedicated research team and combines public sources, contributions from the developer community, proprietary research, and machine learning to continuously adapt to the rapidly evolving and emerging threats seen today.

The other essential element of our security intelligence is how we communicate new findings to Snyk users, so they’re always in the know about what’s currently happening. This allows our community members to act rapidly and make informed decisions regarding next steps and what actions must be prioritized.

Secure your entire development lifecycle

In today’s business and cybersecurity landscape, every second counts. You can’t afford to have any points of friction or misfires that may lead to a catastrophic security incident somewhere down the line. Snyk gives you the ability to put security expertise into any developer's toolkit regardless of their experience with DevSecOps best practices.