November 9, 20220 mins read
We’re pleased to announce the open beta of Snyk’s new and revamped reporting capabilities, providing development and security teams with easy, comprehensive, and granular visibility into risk across their applications.
This is the first stage in a multi-layered effort to overhaul and continuously improve Snyk's data services. Snyk acquired data analytics company TopCoat earlier this year to help spearhead this effort. The new security reporting capabilities we’re announcing today represent the first — and definitely not the last — step in making data analytics a core feature within the Snyk platform. We’ll announce other new ways to extract value from Snyk's security data in the near future.
Snyk customers on either the Business or Enterprise plan can now access these new capabilities via the Snyk UI. To enable them, click Settings, then Snyk Preview.
The need for good visibility
In a DevSecOps culture, all the teams building an application are also collectively responsible for securing it. This type of culture is difficult to develop and maintain over time without proper visibility into risk. Lacking visibility, security teams and leaders cannot accurately track and gauge the overall risk posture of an organization. Nor can they effectively prioritize remediation efforts for development teams, who — tasked with fixing issues that should not have been prioritized in the first place — waste valuable development time. This can lead to a lack of confidence in security processes.
Gaining good visibility, though, is no easy task. Modern, cloud native applications introduce risk via multiple components, including of course the custom code written in-house by developers, but increasingly also via open source packages, containers, and infrastructure as code. Traditional security tools used to scan these components for vulnerabilities are often deployed inconsistently, resulting in visibility gaps or disparate sets of reporting data. Furthermore, the security data generated by these tools is often unwieldy, difficult to consume, and lacks actionable insight.
Snyk’s revamped reporting
Snyk’s revamped reporting capabilities provide development and security teams with the visibility needed to hold data-based conversations that drive shared responsibility, accountability, and effective remediation across the organization.
Snyk’s revamped reporting implements best-in-class data processing tools to ensure optimized performance and reliability. The reporting feature also provides comprehensive coverage across all the components of modern applications in one central location, and enables role-based data access to users across the organization. And it’s easy to use!
With Snyk’s new reporting capabilities, users can:
Identify and report on the most significant risks, and set priorities for what to remediate.
Describe the type, volume, and criticality of vulnerabilities detected and applications impacted.
Track the pace and progress of remediation.
Display long-term and high-level metrics.
Showcase trends and communicate priorities, progress, and risks to executives, boards, customers and partners.
Let’s take a closer look at some of the key new features available as part of the open beta.
Easily access, analyze and share security reporting data
Snyk has always focused on making it easy for users to develop fast while staying secure. Ease-of-use and seamless workflows are extremely important when trying to gain visibility into risk, and our revamped reporting capabilities were designed with this in mind.
Filtering and sorting
Snyk’s reports can be sliced and diced to ensure you’re getting the specific view you need to answer your security questions.
Tables can be sorted and adjusted to show the columns you’re most interested in, and new filters are also available to help you more easily drill down into the data that matters to you.
You can filter by Snyk product (including Snyk Code — more about this later!). This helps you quickly focus on a specific type of issue. For example, you can choose to focus only issues in your open source dependencies, or only issues in your infrastructure as code.
New filters include Package Name, CVE, CWE, Last Introduced Date, Last Resolved Date, Project Tags and Projects Attributes, and more.
This is extremely useful if you are trying to quickly identify specific types of issues in particular projects. In the example below, we have identified the Log4Shell vulnerability in three critical projects:
The sharing experience has also been upgraded. Filters are now persistent in the URL. Using the Copy URL button on the top-right corner of the page, you can easily share the URL of the view with your teammates. Likewise, reports can now be exported into a formatted PDF (or CSV file) for easier sharing with business stakeholders.
A unified view into risk across your applications
As mentioned, application risk can be introduced via each of the components making up an application’s source code. Snyk’s reporting also includes Snyk Code, meaning you can now track and report on security issues introduced by code your developers built in-house, in addition to issues introduced via your open source dependencies, containers, and infrastructure as code configurations. This provides comprehensive visibility into risk across your applications in one centralized location, dramatically simplifying your reporting workflows.
Provide the answers to different types of security questions
Whether you’re comparing remediation efforts across teams, verifying compliance with OWASP’s Top 10 list, responding to a critical zero-day vulnerability, or sharing an executive summary with your board of directors — Snyk’s revamped reporting provides the answers to your specific questions by equipping you with the data you need and the tools to analyze it.
The revamped reporting also ships with built-in reports that cater to a wide range of different use cases.
Provides a comprehensive and detailed list of all the issues identified by Snyk across your applications. This report is ideal for helping teams prioritize remediation based on the issue management strategy in practice — for example, based on severity, project criticality or type, specific CVE/CWE and more. It can also help you understand whether you are compliant with specific industry standards, such as the OWASP Top 10.
Provides a comprehensive and detailed list of all the unique vulnerabilities identified by Snyk across your applications. Similar to the Issues Detail report, this report is ideal for helping teams prioritize remediation, but also for helping you audit your applications and identify your exposure to specific vulnerabilities.
In the example below, we’ve filtered the report to identify all occurrences of the Log4Shell vulnerability (CVE-2021-44228) across all our open source projects.
Provides an aggregated, high-level overview of risk across your applications, highlighting metrics such as number of issues identified and resolved and mean time to resolution. This report also provides graphs describing exposure windows, time to resolution over a specific duration of time, and a risk breakdown table. It is ideal for measuring success as well as reporting to executives and business stakeholders.
With the new sorting and filtering options mentioned above, you can drill down into the data in these reports to ensure that you have the level of granularity you need to answer your specific security questions.
Snyk’s commitment for improved data services
Access to security data and the ability to analyze and report on that data, are key for gaining the visibility necessary for an effective security program built on confidence and trust between development and security teams.
As important as these latest improvements are for providing our customers this type of visibility, they are by no means the last step in the evolution of Snyk’s reporting capabilities and data service as a whole. We intend to gradually roll out additional enhancements, including new ways to slice and dice data as well as new types of built-in reports to support custom use cases. Stay tuned!
The capabilities outlined above are available in open beta for any Snyk customer who has either the Snyk Business or Snyk Enterprise plan. To start using these capabilities, simply enable them on the Snyk Preview page in the Snyk UI (click Settings, then Snyk Preview).
The open beta follows a closed beta and a period of thorough testing, but if you encounter any issues, we’d love to get your feedback.