October 22, 20200 mins read
Day One of SnykCon 2020 is in the books. In this post, we’re bringing you a recap of all the news fit to print, plus a peek into some of the eye-opening sessions we heard today. Have a read and join us for Day Two tomorrow.
Snyk Code, developer-first SAST, extends Snyk Platform
Today, we launched Snyk Code, a developer-first static application security testing (SAST) solution. This addition extends our cloud-native application security platform by providing developers with security visibility and remediation for all critical components of the modern application. Now, from application code to open source libraries, to container infrastructure, and infrastructure as code (IaC), it’s possible to gain full visibility and remediation in one platform.
Why introduce Snyk Code? Many of the SAST tools already on the market are, quite frankly, not developer-friendly. They slow down the process of releasing code. They are often riddled with false positives and require deep security expertise to gain value. By contrast, Snyk Code offers developers automated, real-time visibility into problems and vulnerabilities with applications.
This holistic approach makes life easier for development teams while enabling a stronger security posture for the whole organization.
To learn more about Snyk Code and how it enhances the broader Snyk Platform,read the full blog post here.
Snyk achieves CarbonNeutral® status
We are proud to announce that we have achieved CarbonNeutral® status through The CarbonNeutral Protocol, the leading international guideline for sustainability. Using a combination of organizational efficiency activities, external emissions reduction projects, and renewable energy investment, we will work to offset our carbon footprint of 2,400 metric tons. This goal will be brought to life through thoughtful and intentional action by employees and the leadership team both at work and at home, in line with Snyk’s culture.
To read more about our commitment to carbon neutrality,read the press release here.
Feature updates & other product news
Snyk CLI enhancements for container testing and automation
We have offered container security features for more than a year now, and we have continually added new features, like our Kubernetes integration. We are also continually refining our core solution set to slot into development processes without friction.
The Snyk CLI now supports new testing capabilities, including:
testing images directly from any registry
running Snyk tests within the context of your Docker build
scanning additional container types
printing your dependency tree
outputting in JSON to do customer filtering
and much more
Learn more about how to use these new enhancements to Snyk Container in theSnyk Docs here.
Snyk’s Dockerfile SCM integration
We announced one other enhancement to Snyk Container today, allowing detection of Dockerfiles directly from git repos. This empowers teams to shift left on security and development workflows through an easy and early scan of Dockerfiles (before the image is even built). With this new feature, it’s easier to choose the best base image and identify any vulnerabilities as early as possible.
As container adoption continues to climb, it’s never been more important to ensure that container security best practices are easy to follow. This avoids unpleasant surprises down the road due to an old or insecure base image that could be difficult to fix or even break applications.
Want to try it for yourself?
SnykCon Day One: session highlights
As you can probably tell, it’s been an action-packed Day One at SnykCon today. Below are some highlights from just a few of the panels, keynotes, and other sessions bringing development and security experts into alignment by sharing and iterating on modern development best practices.
Eradicating security theater
We kicked off Day One with a thought-provoking talk from Kelly Shortridge, VP of Product at Capsule 8 on eradicating security theater. Developers and DevOps teams want to deliver secure software, but they know they are being measured based on delivery—not security. This sets up a dramatic conflict between development and security. Infosec is often seen as the “department of no,” as Kelly points out. And this dynamic doesn’t necessarily result in more secure software—so it’s not just unpleasant, but ineffective.
Some AppSec tools take so long for code checking that they interrupt build pipelines with low-severity vulnerabilities that cause far too much noise. Shifting left, while a valuable concept, on its own, will not solve these problems. It just moves them earlier in the cycle. DevSecOps done wrong can also lead to more security theater without improved results. The ‘us vs. them’ mentality needs to change, and that’s more a culture change than a technology change, Kelly posits.
Security needs to be adaptive, allowing teams to test and fix quickly and easily. To that end, Kelly provided several recommendations for how to move forward, including:
Implement security chaos engineering to make incident recovery efficient.
Recognize that failure is a natural part of systems and plan for it.
Make security collaborative and open; position security as an advisor and source of knowledge rather than a silo.
Reward system-level improvement rather than rigidity.
Security culture: why you need one & how to create it
Culture eats strategy for breakfast.
Masha Sedova, Co-Founder of Elevate Security, has spent her career studying the intersection of security and behavioral science. Her big question is, “How do we get people to want to do security?” Masha’s session expanded on many of the ideas Kelly Shortridge introduced in the Security Theater session.
As Masha points out, customer trust is vital. Without it, it’s impossible to thrive as a business. Trust is built on security. If a customer can’t trust a business, they are unlikely to buy from them or return to buy again. So, trust is the fundamental “why” behind security. To establish and maintain that all-important trust, the most resilient companies have positive security cultures thriving in their organizations.
Security culture includes not just observable behaviors but also beliefs, values, assumptions, and experiences. It helps when every employee believes security is part of their job. The organizations that have the most positive security cultures often have leadership who have already gone through breaches, and these experiences shape their assumptions and beliefs by making it more real. Thankfully, you don’t have to experience a breach to implement a positive security culture, but you do need to approach culture shifts with intention.
To hear more of Masha’s insights on security culture, watch the whole video below:
Beyond the DevOps Handbook panel
This panel was led by Sasha Rosenbaum, Senior Product Manager at Github, with participation from:
Gene Kim (founder and author of IT Revolution)
John Willis (Senior Director, Global Transformation Office, Red Hat), and
Patrick Debois (Director of Market Strategy at Snyk)
It's been five years since The DevOps Handbook came out, and a lot has changed. While there were some hints of DevSecOps in the original Handbook, the practice has come a long way since then. In this panel, the participants discussed how DevOps has evolved and why DevSecOps is a natural consequence of that evolution.
All of the panelists agreed that the adoption of DevOps has been massive and widespread—to the point of surprising the experts—and that DevSecOps has followed close on its heels. DevOps conferences have gone from small to huge, and the practices have become commonplace.
Some interesting takeaways:
It’s not just really big companies doing DevOps— or DevSecOps —anymore.
Even industries that are not typically at the forefront of change and technology adoption, like banking, have embraced DevOps and practices like chaos engineering.
Tools have come a long way in the time since the DevOps Handbook launch, making it easier than ever to actually do DevSecOps in the real world.
To check out the whole panel, catch the replay below:
Join us tomorrow
Thanks for reading! We hope you’ll join us for Day Two of SnykCon tomorrow, with more from-the-floor announcements and dynamic talks on everything from quantifying DevSecOps to democratizing security.