Snyk in 30: Open source security for Atlassian Bitbucket Cloud

In our latest Snyk in 30, Jason Lane (Director of Product Marketing) and I (Marco Morales, Partner Solutions Architect) showcased Snyk Open Source with a focus on our integration with Bitbucket Cloud.

They covered why open source security is vital for modern app development, along with tips on taking a holistic approach to application security that goes beyond just shifting left. The session ended with a demo of Snyk App for Bitbucket Cloud, showcasing how we enable developers to access high vulnerability counts and rich, contextual information within a native Bitbucket workflow. Today, we’ll give you the highlights of this webinar. And if you want to learn more, we’ll leave it up to you to watch the whole talk.

Why open source security matters

Back in the day, applications were built from scratch — made up almost exclusively of in-house proprietary code. But today, developers leverage existing open source libraries to improve and produce software at an unprecedented pace.

Open source also brings new risks that didn’t exist when companies primarily used proprietary source code. Open source risk is top-of-mind for more and more organizations with each passing year, thanks to zero-day open source vulnerabilities like Log4Shell. This is why Snyk exists — to empower development teams to find and fix security vulnerabilities and license issues in open source dependencies.

Where open source fits into a modern SDLC

Even though open source security is essential, developers usually don’t prioritize security as they create software. Other priorities, such as speed and functionality, often take precedence over security. And it stands to reason — historically, security has been seen as a “blocker,” preventing timely releases and forcing development teams to backtrack. Approaches like DevSecOps aim to put the power back into the developers’ hands. But, they often fall short by overloading developers with too many tools, reports, and alerts, ultimately failing to recommend clear remediation steps.

Instead, all security tools — including open source security — must fit seamlessly into existing development processes. All of Snyk’s tools integrate with popular development pipelines such as Atlassian Bitbucket and Github. We also provide actionable guidance and education within developers’ natural workflows. Snyk aims to minimize context switching so developers can implement quick remediation steps and get right back to coding.

Open source security also needs to fit into a holistic approach to application security. Today’s apps use a host of components like infrastructure as code (IaC), containers, and cloud services. And for developers, all of these elements culminate into a single space: their CI/CD pipeline. Snyk keeps this in mind with a comprehensive security platform — from code to cloud and back to code. As part of this platform, Snyk isn’t just a standalone tool. It taps into the context of the entire application — its cloud infrastructure, source code, and containers — to provide the most comprehensive information on every open source component.

Snyk Open Source for Atlassian Bitbucket

Because Atlassian Bitbucket is so widely used, it was a given to include it in our integrations. At our Snyk in 30 democast, we overviewed this new Snyk-Bitbucket integration in action. Here are a few highlights from their demo:

Access vulnerability data and remediation advice

Snyk enables teams to see details on every vulnerability, all within their Bitbucket environment. Users can pull up an overview and the recommended next steps for each found vulnerability by simply clicking on a tab within their workspace. All of these details are displayed within a Bitbucket-Snyk presentation layer, including:

• Information about the vulnerability, explaining which version of the open source component contains the vuln and why it’s a risk to the given application

• A Priority Score, calculated from factors like CVSS, exploitability, social trends, reachability, and fixability

• Remediation guidance, such as recommending which version of the component is most trustworthy and providing simple steps for reverting to this version

Because these details are accessible within the Bitbucket platform, anyone with access to the repository can also access these security insights.

Prioritize fixes during development

Thanks to these vulnerability details, development teams can easily triage and mitigate open source risk right from their Bitbucket pipeline. Teams can also see timely alerts on each vulnerability’s overview page, providing extensive background and references about each one. With this information, developers can quickly identify which vulnerabilities are critical to their environments and prioritize fixes.

Take next steps with Bitbucket and Jira

This new Snyk-Bitbucket integration also makes it easy for teams to perform open source risk remediation with the click of a button. Users have the option to simply make a Bitbucket pull request. Then, they can select which vulnerabilities they want to remediate from a complete list of found vulnerabilities. This triggers Snyk to automatically revert each open source component in question to a secure version. The vulnerability details from the presentation layer also get transcribed into this pull request.

For organizations with a triaged security team, there is an alternate option to submit an auto-populated Jira ticket. This automation makes it easy to pass vulnerability details to the right team members, within seconds.

Learn more about our integration with Bitbucket

We’re here to help you integrate security into your development teams’ native environments, creating a holistic, developer-first experience that doesn’t detract from their existing CI/CD pipelines. Our developer security platform integrates into a whole host of common development tools, from CI/CD to cloud services and much more.

If you’re not a Bitbucket user but your organization uses Github, Jenkins, or other CI/CD pipeline tools, browse our other integration options.