October 22, 20200 mins read
The second and final day of SnykCon 2020 is in the books, and we hope you enjoyed it as much as we did. This post will share some of the product announcements—including a few big partnerships and integrations—plus takeaways from a few of the provocative, in-depth sessions we hosted. We also share session videos in case you missed any or would like to share them with colleagues. Let’s dive in!
Snyk selected as the exclusive security partner for Docker official and certified images
We are proud to announce the next phase of our ongoing partnership with Docker. Snyk is now the exclusive provider of security insights for Docker Official images and other future content certification programs. As you likely know, Docker Official images are a popular set of curated images that help foster development standards around clarity, transparency, and consistency. Adding Snyk security insight to the Official images allows Docker to make vulnerability risk assessment a standard aspect of selecting Official and Certified images.
During the first day of SnykCon today, our CEO Peter McKay joined Docker CEO Scott Johnston to talk about the partnership. Johnston explained that Snyk security insights serve as an essential checkpoint to help developers verify that images are well-maintained and secure.
Our security scans will be applied to every new Official and Certified image uploaded to Docker Hub.
Snyk’s Datadog Continuous Profiler integration
Snyk now offers integration with Datadog’s Continuous Profiler, which provides insights into the performance of real-world production code. The combination of DataDog’s visibility into product traffic with the Snyk Intel vulnerability database empowers developers to make more accurate and data-driven security decisions.
Datadog’s user interface will now allow Profiler customers to see a rundown of all Snyk-identified vulnerabilities in an application, then quickly pinpoint the best path to remediation based on how often the methods are invoked. Learn more in the press release here.
Datadog was also a gold sponsor of SnykCon and presented a session called, “Do You Accept Risk? Dynamic Risk Metrics in Your Environment.” We highly recommend checking out the replay below:
IBM Cloud integrates Snyk vulnerability intelligence
When we said integrations galore, we meant it! The Snyk Intel vulnerability database will be integrated into IBM Cloud security capabilities, enhancing security for the enterprise. This partnership enables developers to automatically find, prioritize, and remediate vulnerabilities across open source dependencies and containers.
With businesses doubling down on digital transformation this year, it’s never been more important to simplify the application of DevOps methodologies. This partnership will allow organizations that make use of cloud native development to more securely build, deploy, and manage applications.
To learn more about the partnership, read the press release here.
New feature: Backlog Management
During today’s “Fixing the Cost of Fixing” session with Dan Mckean, a product manager here at Snyk, we announced our new Backlog Management tool. This enhancement to Snyk’s automated vulnerability remediation lets development and security teams reduce their vulnerability backlog at their own pace—which goes a long way toward improving security cultures and eradicating security theater.
Analytics show the average project has 20+ vulnerabilities when first scanned by Snyk. That can quickly become overwhelming to fix. That’s why, earlier this year, we announced developer-first vulnerability prioritization.
Backlog Management takes this to the next level by opening targeted fix pull requests for vulnerabilities in the backlog, organized by priority. This supplements current functionality that prevents the introduction of new vulnerabilities and fixes any that have been recently disclosed.
To learn more about how it works, head over to our blog post.
Fireside chat with Atlassian’s CISO
Snyk Co-founder and President Guy Podjarny sat down with Adrian Ludwig, CISO of Atlassian for a 1:1 discussion about what Adrian is seeing in the modern security market, how his team is structured to keep up with the pace of DevOps today, and how he conceptualizes Atlassian’s role in helping developers embrace security.
Adrian pointed out that the industry struggled for a long time to build more resilient systems. He experienced these challenges first-hand when working on Adobe’s Flash and on Google’s Android, in the days before DevOps and SecDevOps had come to fruition.
Adrian highlighted that most people don’t see security as their primary job. So a big part of evolving mindsets and improving outcomes has come down to asking, “How do we bake security into products?” In other words, you want security tools to “slip into the background,” Adrian says. The more security is “free” and “strong,” the better outcomes will be because everyone can use it. This is very much in line with how we think about security—the less friction there is, the more secure the end result will be.
Guy and Adrian also talked about how to build a security organization. Atlassian is somewhat unique because 90% of their security focus rests on products—i.e., making sure data in the cloud is protected. This is handled by the product security team, which is about two-thirds of their overall security team. They focus on using automation and tools to flag instances where human processes break down, and on monitoring applications and enabling rapid response. They also embed people on development and product teams to ensure that there is a direct line to security. The common theme is that it’s “bottom-up.” You have to build a culture where people are both incentivized and empowered to do security well (a theme the other presenters below expanded upon).
To watch the whole fireside chat, check out the replay here:
Democratizing security with Wendy Nather of Duo Security
Wendy Nather is the Head of Advisory CISOs at Duo Security (now part of Cisco). Wendy opened her session by reminding us technologists used to be the “masters of the universe.” They bought everything and managed everything, from hardware to software. Not true anymore: Devices are often BYOD; users love Shadow IT; software lives in the cloud and all around us. The lines between “work” and “life” are blurrier than ever, at least on the tech front. This can lead to power struggles between workers and employers. It also makes security pretty complicated, and our model has not evolved fast enough, according to Wendy.
The first step to evolution? Democratize security. In other words, aim to move from control to collaboration. After all, when you can’t control people’s behaviors, you need to empower users to do security (sensing a theme?)
In any business decision, opportunity and risk must be reconciled—and that goes double for security risks. Wendy points out that often it’s people on the business side who best understand the opportunity and whether it outweighs the risk. So instead of security teams constantly saying “no,” a collaborative model empowers users to make good decisions based on clear frameworks.
As Wendy puts it, “Do what you want with your own device on your own time, but if you want to interact with business resources, here are the steps to follow.” It’s better for security teams to give away control gracefully and voluntarily than to have it wrested from their hands by users. She offers several examples of how to do this in the real world.
To hear her examples and in-depth advice, check out the full talk below:
The impact of DevSecOps quantified, with Larry Maccherone of Comcast
Larry Maccherone is the DevSecOps transformation lead at Comcast. Larry launched a program to bring DevSecOps to Comcast and (this is the really cool part) actually measured the results. Along the way, he built an innovative framework for helping developers buy into the transformation, ramp up slowly, and learn the skills needed to do DevSecOps well and make it part of the culture.
It all starts with trust — trusting that engineering teams want to do the right thing and are closer to the business context, so they can make good trade-off decisions between security and other risks (similar to how Wendy Nather describes in her talk) given the right data.
Larry quantifies the impact that various DevSecOps software security practices have on risk outcomes. His framework means he can say exactly which application security practices lower risk the most. He’s also able to quantify the impact each practice has on outcomes. This enables him to focus the entire organization on high-impact DevSecOps changes, rather than diffusing efforts across dozens of practices.
As you might imagine, this totally changes the dynamic between development teams and security. His methods are backed by research and data that show just how important certain activities are compared to other areas they could invest in.
If your organization is in the midst of adopting DevSecOps or could use some help focusing continuous improvement efforts, give the talk a listen below:
SnykCGene Kim & Guy Podjarny in Conversation
In addition to Gene Kim’s panel talk yesterday, he joined our Co-Founder and President Guy Podjarny—and several SnykCon attendees—for a “coffee and conversation” session on Day Two. They discussed frameworks and metaphors that help us conceptualize the changes wrought by DevOps and DevSecOps.
Guy started out by asking Gene whether DevOps is helping or hurting security. Guy shared how he has witnessed the relationship between developers and security shift over time, from security trying to protect customers from developers (yikes) to developers integrating security into their workflows and assuming ownership (much better).
“DevOps is great for security because it’s no longer just security’s job. It’s everyone’s job,” Gene said. Guy expanded on this point by positing that, good or bad, DevOps is a reality for security.
Thanks for checking out SnykCon & helping us make an impact
If you caught the fireside chat with Atlassian’s CISO, you may have also had a chance to hear from Dipti Salopek, Snyk’s VP of People. Dipti emphasized something we are really proud of: Through SnykCon and other efforts, we have been able to raise more than half a million dollars for causes that our team cares about. This includes COVID relief, Good Today, and the NAACP and BLM movement.
Snyk has been fortunate to live in an industry that has not been as hard-hit as many others during the global pandemic, and we see this privilege as our responsibility. Part of that responsibility includes giving back to those who haven’t had the same good fortune. Thank you to everyone who has donated and aided in these efforts; we’re proud to call you partners, friends and colleagues.
Oh, and if you missed a session or want to rewatch anything, catch all of the conference presentations here: YouTube.
Well, that’s it for SnykCon 2020! We hope you got a chance to stretch your brain, meet some new folks, and enjoy a bit of camaraderie. We’ll see you out there. Stay secure.