Extending developer security with dev-first dynamic testing

Today, we announced the exciting news that Snyk has acquired Probely, a fast-growing modern provider of API Security Testing and Dynamic Application Security Testing (DAST). With this addition, Snyk now offers a full range of development and application security solutions, with customers immediately benefiting from a broader range of developer friendly testing techniques. 

The growing importance that all types and sizes of businesses are putting on web-facing applications has further solidified API testing and “modern DAST” as a foundational aspect of an application security program. This has been heightened by the “API economy” and the GenAI era, such that securing the APIs that are exposed as part of Large Language Models (LLMs) functionality will continue to drive growing demand for API and web app testing. 

A Natural Extension of Snyk’s Portfolio . . . Staying Dev-First

Since we are established leaders in application security, it may be no surprise that Snyk has decided to enter the API Security Testing and DAST markets. However, I’ll tell you that this step has long been discussed within Snyk and, many times, was determined to not be the right move for us. For a long time, dynamic app/API testing solutions often sat “further right,” whereas Snyk philosophically has always been focused on facilitating a “shift left” mindset and model. Our commitment to Developer Security drove this mindset, focused on moving controls earlier into the SDLC and, while doing so, ensuring a Developer-first approach that minimizes disruption to developers’ flow state. Through partnerships and integrations with DAST solution providers, we supported customers who rightly wanted to include this category of testing in their AppSec program, but we generally saw misalignment with our mission and DNA.

Well, a couple of things have changed that point of view. First, a new category of modern DAST solutions has emerged that, through CLI-driven integration with CI/CD pipelines, have managed to nudge the testing earlier in the development process. The second factor is our own point of view on how DAST relates to Developer Security. Historically, we didn’t think of DAST as part of this approach because it was predominantly viewed as a “shift right” tool, not aligned with the Developer-first requirement. However, in recent years, we’ve shifted more balance and weight of Developer Security towards the collaboration between Developers and Security teams, and through this lens, a dynamic security testing tool that can actually accommodate the developer-first requirements clearly fits with our mission.

Another major factor in not only entering these markets but also prioritizing Probely as an acquisition target is the aforementioned trend around APIs as a driver of new LLM-powered applications being created in the GenAI era.  As AI models become more sophisticated and as developers increasingly integrate them into applications, they increase the reliance upon APIs to access and process data. This interconnectedness creates new attack vectors for malicious actors, making it crucial to secure APIs against potential threats.  By adding API security testing to our portfolio, we can better help customers detect LLM-based threats, protect their models and data, and allow them to confidently build AI-powered applications.

These factors combine to now bring API and web application dynamic testing more fully into the Developer Security model to help the technique overcome some past adoption challenges, provided it is done with the right technology.

True Dev-First DAST

We first met the Probely team and dove into their technology when looking for our own API and application dynamic testing solution for our Product Security team. As part of our preparation for achieving our FedRAMP authorization, we looked to go beyond our internal use of Snyk which eliminated application security issues pre-deployment, to address the specific needs of auditors requiring dynamic testing. We had been looking at legacy DAST tools but decided to also assess Probely and were immediately impressed with the accuracy of the testing results, the ease of use of the tool, and the reduced noise from false positives our ProdSec team would have to deal with. 

We got to know the team through the process and in addition to these results, it was clear that the philosophies that have driven their innovation roadmap have resulted in a true Dev-first API/web dynamic testing provider. 

Recognizing there was much less value in a solution that achieves low adoption, the Probely team set out from day one to ensure their technology minimizes impact and distraction on developers. There are 3 foundational ways Probely achieves that . . . first, by delivering industry-best low false positive rates (around 0.1%) they ensure developers are asked to fix only issues that represent true application security risk. Secondly, Probely delivers a very simple implementation and user experience that reduces the cognitive load of learning new tools or transitioning to dynamic testing for developers. Finally, Probely follows an API-first development model followed by CLI feature enablement that supports automated DAST scanning in the CI/CD pipelines. They have also built a very robust API that streamlines integrations into various developer tools, including issue tracking solutions, to further tie into existing developer workflows.

As an element of our diligence process, we leveraged our trusted design partner, customers, and some of the largest financial institutions and retailers in the world. We spent time with joint Snyk/Probely customers, and through all these conversations regarding Probely and its capabilities, we knew we had struck a nerve with a required application security capability delivered with simplicity and enterprise maturity but also with the Dev-first sensibilities that we pride ourselves on.

Naturally, when you acquire a technology company, you bring in more than just the tech. And while the Probely technology thrilled us with its current and future potential value, we were equally enthused by the Probely team, and we’re delighted to add them to the Snyk family. It is worth noting that both of Probely’s founders were practitioners and users of security tools as developers, and this experience led them to create a Dev-first dynamic testing solution. They understand that application security is a “team sport” between developers and security and built their product with a focus on what they would have wanted to use in running security teams. 

Taking the next step into Application Risk Management

Another major consideration for assessing the DAST and API market opportunity has been its longer term fit to our mission and go-forward focus. Based on customer conversations, it is clear that, like SAST/SCA, the issues found in DAST ultimately fall back to developers to fix and security teams to manage through policies and increasingly a risk-based approach. Additionally, API security is landing squarely in the court of Application Security. Given these factors, it’s challenging to say we’re achieving our mission of “enabling organizations to develop fast and stay secure” without providing visibility and coverage in these areas of vastly growing importance. 

As you are probably aware, last year, we launched Snyk AppRisk as a foundation for driving application-specific and risk-based prioritization. We’ve seen a tremendous response to this new offering and its ability to deliver consolidated visibility into assets and security coverage across application estates. The discovery and coverage capabilities of Probely align perfectly with this progression since AppSec seeks visibility into application assets relevant to the DAST domain, including single-page apps, APIs, and web domains. AppSec wants to know which assets exist and assess and monitor the risk present in the production versions of these assets, just as they do during pre-deployment via SAST and SCA.

This acquisition also extended our portfolio to External Attack Surface Management (EASM). ​​We all know that fundamental to an AppSec program is having a clear understanding of what your attack surface looks like. But that’s easier said than done. With their introduction of Discovery earlier this year, Probely can help organizations find, manage, and prioritize their inventory of APIs and web apps to uncover their entire external attack surface. Discovery achieves that by running an automatic and non-intrusive discovery of services and applications running across a customer’s infrastructure.  

Given its breadth and focus on growing pain points, we see tremendous value-added potential for our customers as we work through a progressive integration of Probely’s technology into the Snyk Platform and its focus on delivering industry-best prioritization and enabling holistic application risk management. 

Snyk + Probely = Immediate Value & Continuing the Journey

Today represents Day 1 of integrating this new set of capabilities into our portfolio, and we are very excited to begin sharing with you our plans. We see great synergy today and even more over time, and look forward to sharing those plans and exploring how incorporating DAST into your journey with Snyk will bring immediate value and impact to your AppSec programs.

If you’d like to learn more about this exciting new step for Snyk, I encourage you to register for our upcoming webinar on December 9th, 11:30 am ET, where I will host and be joined by Nuno Loureiro, former CEO of Probely. We will dive in a bit on what customers are telling us about the growing importance of API security testing, what it means to build a DAST that is “modern” and also truly “Dev-first,” and discuss the alignment of the growing challenges of Web application/API security and the potential of risk-based prioritization.