January 16, 20240 mins read
As applications and their software supply chains become more complex, designing an AppSec program that is agile enough to keep pace, while still providing a clear, enterprise-wide view of risk requires a deep understanding of applications — depth that covers every line of code and package from development all the way to their live, running state. This level of understanding fosters a unified perspective on risk, streamlines prioritization and remediation, and contributes to tighter collaboration between developers, security, and operations teams as they build secure applications.
That’s why we’re excited to announce that Helios — pioneers in runtime data collection and insights — is joining Snyk! Helios' runtime application security capabilities will soon be integrated into Snyk AppRisk, our ASPM solution, to provide unparalleled cloud-to-code visibility into application risk, empowering security teams to more effectively manage and scale their AppSec programs and further enabling developers to focus on addressing the most critical issues.
Runtime: Where risk becomes real
Conventional security testing approaches, such as SCA and SAST, concentrate on statically analyzing the application in the early stages of the software development lifecycle. While this context during development and build time is crucial for identifying and addressing vulnerabilities before they reach production, its emphasis on source code analysis provides only a partial view of the overall risk.
Enter runtime context — a game-changer for AppSec.
At runtime, the application comes to life, functioning in its actual operational environment. While source code in development and build time offers a blueprint of the application, it serves as a theoretical representation. During runtime, the application may deviate from this plan due to factors beyond the blueprint's scope. For instance, external configurations in the deployment environment could influence the application’s behavior. Moreover, the blueprint lacks awareness of how different components are practically utilized; there could be unused code lingering in the repository or image.
Not surprisingly, runtime data is increasingly acknowledged by AppSec teams as the definitive source for assessing application risk, offering a real-world perspective into the application beyond the confines of its initial blueprint. Armed with this data, these teams can more effectively identify and prioritize vulnerabilities that genuinely pose a threat, significantly diminishing the signal-to-noise ratio of security alerts.
Helios + Snyk: Better together
Snyk was founded with the mission of empowering developers and security teams to collaborate together on building secure software. To this end, Snyk enables development teams to seamlessly integrate security into their existing workflows to find and fix security issues as they work, and provides security teams broad visibility of application risk and clear prioritization. Recently, Snyk unveiled Snyk AppRisk, offering application discovery, coverage management and more effective, risk-based prioritization, together providing Application Security teams with an AppSec workbench for better managing and scaling an AppSec program. With the acquisition of Helios, Snyk will enrich its developer security platform with runtime intelligence to introduce an industry-first, comprehensive perspective of application risk spanning the entire software development lifecycle, from code to cloud.
Helios’ eBPF and OTel-based runtime data collection techniques, implemented at the platform, kernel, and application levels, will grant Snyk customers access to runtime data, offering insights into how applications are interacting with their environments and a real-time understanding of what is actively running during execution. When combined with Snyk’s development and build time context, Snyk AppRisk will provide a holistic view of application risk. These runtime data collection techniques will enable Snyk to build a framework for collecting and incorporating runtime data into Snyk AppRisk, and will strengthen collaborations with runtime-focused partners to enable mutual customers to benefit from enhanced runtime data and visibility.
With this holistic view of their applications, Snyk customers will be able to discover all the software assets involved in building and deploying applications, facilitating a deeper understanding of what needs securing and identifying coverage gaps. The integration of additional risk factors within Snyk's evidence graphs will enhance the understanding of application risk, helping customers pinpoint the issues posing the greatest threat and prioritize remediation efforts. Key questions, such as the deployment and loading status of a vulnerable package or the public-facing nature of a service, can be answered more effectively through this improved understanding.
What’s next for Snyk?
Similar to previous acquisitions, the entire team at Helios will immediately join Snyk’s R&D team to accelerate the evolution of Snyk AppRisk and Snyk’s ASPM capabilities. Once merged into our platform, Helios’ runtime data and insights will enable Snyk customers to:
Discover app assets throughout their software supply chain, from code to cloud
Ensure that all these assets are covered and secured by appropriate controls
Prioritize issues using holistic application context and based on actual risk to their business
We are incredibly excited for what the future holds, and look forward to sharing more on this front later in 2024! In the meantime, please join me in giving our newest Snykers a warm welcome.