Welcoming Fugue as we build the future of developer-first cloud security

Today, I am excited to announce Snyk’s acquisition of Fugue and welcome their team to the Snyk family. The addition of Fugue to Snyk’s platform will allow us to continue our mission to help developers find and fix security issues in the applications they create, by providing visibility into the security of applications and the cloud services they use. But it’s about more than just visibility of the cloud posture. This new insight into the deployed state of applications in the cloud will allow us to provide even greater context into vulnerabilities and configuration issues. We will be able to prioritize vulnerabilities using the visibility and context of the production state, and ensure applications and their configuration don’t drift from their intended state.

From code to cloud to code

Snyk has helped millions of developers secure their code, containers, and configuration from the start of the lifecycle, before deployment. In modern DevOps shops, the role of the developer in securing the application doesn’t stop once the app is deployed. Instead, developers are responsible for the continuing security and performance of their code when it’s running, too. This extends to managing the cloud infrastructure their apps use, which is ideally managed as infrastructure as code (IaC). Having a cloud security solution that starts with code, provides visibility into the cloud, and then uses that visibility to provide feedback into the code again, empowers developers to take security ownership.

There are many cloud security posture management (CSPM) tools that provide information about the state of infrastructure, but those tools have been built for security and operations teams. Most lack any connection back to IaC, and also lack any details on the apps running on the infrastructure. But the infrastructure is set up in service of the apps, so fixing issues in the infrastructure should be done in a way that doesn’t break those apps — and that doesn’t cause a drift from the “source of truth” infrastructure definitions in IaC. Together, Snyk and Fugue will solve these issues.

Many people think about the cloud as a data center, but in practice, the cloud is software, and increasingly driven by code. Fugue has built their platform with that philosophy, thinking about the cloud deployment as code and optimizing for securing automated infrastructure. Fugue connects the cloud posture back to the configuration code, using a single set of policies to manage security and compliance throughout the lifecycle. This feedback loop: securing code before deploying, maintaining security while running, and providing fixes back in the code that developers have to maintain, is a common vision that Snyk and Fugue share. By joining together, we can deliver on these plans much faster.

Why Fugue?

As we began our talks with the Fugue team, it quickly became apparent that we were aligned on the fundamental principles that infrastructure should be defined in code and managed and secured by developers. We also agreed that there’s an important component of visibility and feedback missing in today’s CSPM tools. All the way back in 2018, the Fugue team wrote:

While most [enterprises] are using some kind of cloud monitoring tool, there’s an over-reliance on manual processes for identifying and remediating critical misconfiguration events… Infrastructure and development teams need to move fast, and security and compliance teams need to help them move fast.

Snyk and Fugue shared the belief and the vision that we can empower developers to find, prioritize, and fix issues in their applications, including the configuration and infrastructure those applications rely on.

We also share a belief in using open, cloud-native technologies like OPA and its policy language, called Rego. In fact, the policies used with Fugue today can quickly be added to work with Snyk. But in a broader sense, what this means for users of Snyk and Fugue is that they don’t need to learn a special purpose policy engine or language that only works with our products. OPA is used extensively with Kubernetes and an increasingly large number of cloud-native technologies. Ultimately, that makes developers and security teams more productive, and that’s good for everyone.

Our vision for developer-first cloud security

Our first step to help developers secure their applications in the cloud will be to create a unified policy engine that powers both our IaC and cloud security solutions. We will provide the best policy-as-code engine that enables developers and cloud security teams to work together, correct misconfigurations in code and in the cloud, and manage drift between the two.

In addition to avoiding misconfigurations, this will provide developers with visibility into how their applications are running, and enable us to provide advanced exploitability analysis. This is critical, because only scanning cloud definitions in code misses important contextual details that become apparent when you have the full picture of a live environment. On the flip side, only knowing about the live cloud environment, as with traditional CSPM tools, misses the code-level details: the vulnerabilities present in the application and its dependencies, which are exacerbated by being exposed to the world. Solving both of these problems requires a feedback loop that encompasses the application code, containers, and configuration, adds the visibility of the current running state application, and feeds that back into the code and tools developers use to fix issues.

What will this mean for current Fugue users and customers?

If you’re currently a Fugue customer, we will continue to support you on Fugue for the immediate future. We’ll be working to bring the functionality of Fugue into the Snyk platform, and as we do that we look forward to sharing our roadmap and plans with you.

What will this mean for current Snyk IaC users and customers?

For Snyk IaC customers, the existing Snyk IaC product will continue to develop and strengthen its existing feature set — both through merging with Fugue’s IaC product and accelerating our already planned roadmap. The configuration and cloud policies of Fugue and Snyk IaC will be merged, so there are some new rules that will be available soon, and we’ll continue to develop Snyk IaC. We’ve been working on the drift detection features from our CloudSkiff acquisition and, as promised at that time, those features will be part of Snyk IaC. And there are more exciting features on the roadmap for IaC this year. The cloud context provided by Fugue will enable us to vastly improve our developer experience by leveraging cloud insights during local development and prioritizing security issues.