June 7, 20230 mins read
As we approach the second half of 2023, both security and development teams are seeing seismic shifts in the application security world. AI is powering a productivity revolution in development, enabling developers of all types (and even non-developers) to introduce code faster than ever. Meanwhile, it’s more difficult than ever for developers and AppSec professionals to identify and prioritize true risk to the business. As security testing has shifted left to developers, getting full visibility of the software supply chain can feel like an uphill battle for AppSec teams. They’re attempting to discover and ensure they have visibility of every app, and security tool coverage (or lack thereof), and then chasing lists of vulnerabilities from each security tool and struggling to correlate findings to determine where to focus their limited resources.
As the role of AppSec moves to one of setting up and governing a program where developers are the ones responsible for finding and fixing security issues, AppSec teams need a toolkit that enables them to scale visibility and control to better manage the security process.
That’s why today we’re excited to announce our intent to acquire Enso, the pioneers of application security posture management (ASPM). Snyk will combine Enso’s ASPM capabilities with the risk-based prioritization of Insights (also announced today) plus the developer-loved, security-trusted tools in Snyk’s platform. This merging of functionality means security teams can scale their AppSec program to every app and every developer across the SDLC, and developers focus on the issues that matter most!
Enso + Snyk: Better together
What are all of the software assets across the SDLC that need protecting in my company?
Which of those assets are being tested by a security tool?
How can I easily configure and roll out security tools where I have gaps?
What assets are business-critical and need to be prioritized?
With Enso’s orchestration capabilities, automatic asset and controls discovery, and business impact classification, application security teams will be able to quickly gain visibility into what assets exist in their company and which Snyk or third-party tools are being used to test them. In case of coverage gaps, Snyk’s platform will make it easy to configure and roll out our security tools at scale across the organization. Snyk’s security depth and the application-aware, risk-based prioritization of Insights, combined with Enso’s powerful asset discovery and controls coverage functionality, will enable application security and developers to focus their attention on the issues that matter most, and for the first time, application security teams will have automated policies and guardrails to enable them to spend more time collaborating with developers to develop fast and stay secure.
By eliminating the need to manually seek out repos, artifacts, and other assets, and then roll out security tools to fill in gaps, security teams can focus their efforts on collaborating with developers and platform teams on secure development policies and guardrails, instead of playing catch up. Snyk will automate and scale the program to cover every app, and ensure development is safe from the start, offering the first and only developer security platform that combines the application security tools developers love with a holistic application security posture view that AppSec need.
Insights for a better understanding of app risk
During SnykLaunch today we also announced Insights. This new and unique addition to Snyk’s developer security platform focuses on prioritization: aggregating broad context about the application so security and development teams can better understand how to prioritize and fix security issues.
Insights (releasing in open beta next month) directly responds to a key pain point facing most development and AppSec teams today: the challenge of prioritizing the huge number of issues in their backlogs without a real understanding of the risk they pose to the business.
Many of today’s teams still use a siloed approach to triaging and prioritizing their fix efforts, using SAST tools to prioritize code issues, SCA tools to prioritize open source issues, and so forth. They also lean heavily on an issue's technical and theoretical severity without digging deeper into other contextual information. Prioritizing this way becomes a challenge because issues don’t exist in a silo in the real world; they exist within the highly complex and dynamic context of the modern application.
Insights addresses these challenges by pulling data from across Snyk, and beyond, to construct a 360° view of the application, depicting issues, along with application components and the context of how the application is deployed and used in production, in a visual graph. This provides security teams with a broad view of their application, so they can better assess the risk an issue poses and provide developers with a better understanding of its potential impact and path to resolution.
Combining this understanding of the application with Enso’s asset discovery capabilities will strengthen risk-based prioritization, helping developers and security teams to hone in on the top risks for the business.
For more information about Insights and how it helps drive more effective, risk-based prioritization, read the announcement blog.
What’s next for Snyk?
This year, our biggest goal is to enable end-to-end application security posture management (ASPM). These additions to our platform, as well as upcoming features throughout the rest of the year, will empower you to better:
Manage security posture by defining, managing, and tracking governance standards.
Explore your application as a whole by modeling the application from source code to cloud.
Manage risk & remediation with tools for reducing noise and prioritizing the riskiest issues first.
Tailor the developer experience to meet your security needs.
To learn more about our new features, check out the whole SnykLaunch presentation from June 7, 2023.