SnykLaunch June ‘23: Insights and DeepCode AI enable faster fixes and prioritization
7 juin 2023
0 minutes de lectureAs we approach the second half of 2023, both security and development teams are seeing seismic shifts in the application security world. DevOps practices continue to evolve, meaning that developers are introducing code more and more rapidly, andwith the help of AI, developers of all kinds are able to create code faster than ever. Plus, apps aren’t just made up of first-party code and third-party dependencies anymore. Instead, a single app links back to a vast ecosystem of cloud environments, containers (and third-party base images), and automated container orchestration.
With these new levels of speed and complexity comes more noise from every corner of the development lifecycle. It’s making it more difficult than ever for developers and security professionals to identify and prioritize true risk to the business. Too many vulnerabilities are prioritized in silos — SAST issues in one silo, 3rd party dependencies in another silo, container issues in yet another silo, and so on.
At this month’s SnykLaunch, Manoj Nair, Chief Product Officer, and Pat Poels, SVP Engineering, covered how these changes make it more challenging than ever for developers and AppSec professionals to manage application security.
To respond to these evolving application security practices, Snyk is releasing new features that will make finding, prioritizing, and fixing issues faster and easier, enabling developers and security professionals to spend more time collaborating on creating secure apps from the start — and less time chasing down a mountain of issues. We announced five of these new features at SnykLaunch on June 7th, including:
DeepCode AI Fix, which delivers a fix for code issues to developers right in their IDE.
DeepCode AI Search, which harnesses the power of AI to allow security and development teams to search their code for semantic patterns instead of just matching language tokens, and save their search as custom rules that can be used by Snyk Code.
Insights, a new Snyk platform capability that enables AppSec teams to visualize the complete lifecycle of an app, from code to cloud, and prioritize issues based on risk factors that go beyond the individual silos of vulnerability reports.
New features for our developer-first SBOM management, including expanded export capabilities, as well as a new open source project for enriching SBOMs.
An expanded Snyk Learn, our free developer security education platform, featuring a new partnership with NYU Tandon School of Engineering, alignment with the NIST NICE Workforce Framework for cybersecurity education, and new features for tracking progress and earning certificates. .
Fixing code vulnerabilities with DeepCode AI
During the first part of SnykLaunch June ‘23, Noa Moshe, Product Manager, unveiled our proprietary AI engine — DeepCode AI. This technology is the foundation for DeepCode AI Fix, the next evolution of our Snyk Code and Open Source products. DeepCode AI delivers security fixes right to a developer’s IDE, allowing them to apply the suggested change with a single click. Now, code fixes that once took time to research, triage, and figure out how to fix only take seconds. It also saves developers the mental energy of implementing each change manually.
We ensure DeepCode AI’s fix suggestions are trustworthy, so developers can simply click and go. We trained its neural network on millions of lines of code, compiling large amounts of unstructured language information from open source projects across the web. Each proposed fix is targeted to each vulnerability, and validated to ensure it fixes the issue and does not introduce any new problems, all before it’s presented to the developer as suggestion.
DeepCode AI Search and Snyk Code Custom Rules
DeepCode AI is the basis of Snyk Code’s new custom rules feature as well. Frank Fischer, Technical Product Marketer, covered this new feature at SnykLaunch and demonstrated how DeepCode AI helps teams to rapidly search their code for problematic issues, using the power of DeepCode’s semantic engine instead of simply lexical token matching. Those searches can then be saved as customer rules and used everywhere Snyk Code works to find any code patterns AppSec teams desire.
For example, Frank showed a particular snippet of code where a SQL injection had been discovered. However, in this example the development team does in fact use a custom sanitizer to prevent such attacks. Since this sanitizer is unique to the company, SAST tools would not be able to detect it. But Frank demonstrated how DeepCode AI can detect this data flow pattern and create a rule the correctly detects this custom sanitizer. And because it’s using DeepCode’s semantic engine, the rule works across any code flow patterns, instead of being limited to a particular order of language tokens that are specific only to one team or, in this case, JavaScript.
These custom rules can detect more than just security patterns - engineering teams can use these custom rules to ensure that code stays up to par with specific quality standards. This new functionality makes it quick and easy to create and maintain these rules, eliminating false positives/negatives and the unnecessary alerts that come with them.
New features for developer-first SBOM management
Next, Ryan Searle, Staff Product Manager, announced new SBOM management capabilities and a new open source project for the software supply chain security community.
First, they announced new supply chain APIs. One API for generating SBOMs and another to fetch vulnerability information for individual packages. Both of these APIs are generally available. This single endpoint SBOM API compiles third-party dependencies for open source or container projects into a complete software bill of materials, in either CycloneDX or SPDX formats.
We’re also releasing an open source SBOM enrichment tool called parlay. This CLI tool enriches SBOMs with additional metadata, such as an overall description, version info, license details, corresponding vulnerability details from Snyk, and more. This holistic view of each component enables developers and security teams to fully understand and validate their apps' contents, and even use it to help ensure adherence to policies. As we continue to evolve this tool, we invite anyone interested in experimenting and contributing to download parlay.
Insights for a better understanding of app risk
In this part of SnykLaunch June ‘23, Daniel Berman, Product Marketing Director, and Ben Laplanche, Product Management Director, announced Insights. This new addition to Snyk’s product suite focuses on vulnerability prioritization, and compiling deep context about each vulnerability into one location so teams can better understand how to prioritize security fixes.
Our Insights feature (releasing in beta next month) directly responds to a key pain point facing most development and AppSec teams — the challenge of prioritizing the huge number of issues in their backlogs without a real understanding of the risk they pose to the business. Many of today’s teams use a siloed approach to triage and prioritize their issues — using SAST to prioritize code issues, SCA to prioritize open source issues, and so forth. They also lean heavily on an issue's technical and theoretical severity without digging deeper into other contextual information. Prioritizing this way becomes a challenge because, in the real world, issues don’t exist in a silo. They exist within the highly complex and dynamic context of the modern application.
Insights addresses these challenges by pulling data from across the Snyk platform to construct a 360° model of the application, depicting issues along with application components and the context of how the application is deployed and used in production in a visual graph. This provides security teams with broad view of their application, so they can better assess the risk an issue poses, and provide developers with a better understanding of its potential impact and path to resolution.
For more information about Insights and how it helps drive more effective, risk-based prioritization, read the announcement blog.
SnykLearn: A free, comprehensive source for security education
To wrap up this month’s SnykLaunch, Michael Biocchi, Senior Content Manager, previewed Snyk Learn, our free security learning platform that empowers developers to level up their secure coding skills and helps admins & security teams master the Snyk platform with online training courses and instructor-led workshops.
Connected to our goal of improving developer security education, SnykLearn partnered with NYU Tandon School of Engineering to create a custom learning path for their students and other aspiring developers. This unique offering allows developers to jumpstart their security education, and enter the job market with essential skills and a prestigious industry badge.
We also announced that Snyk Learn now aligns with the NIST NICE Workforce Framework, demonstrating our dedication to providing comprehensive and standardized cybersecurity education for developers. Education is essential in preparing the next generation of cybersecurity professionals, and we encourage you to check out our free resources — including product training on all new features announced today — at Snyk Learn.
What’s next for Snyk?
This year, our biggest goal is to enable end-to-end application security posture management (ASPM). These additions to our platform, as well as upcoming features throughout the rest of the year, will empower you to better:
Manage security posture by defining, managing, and tracking governance standards.
Explore your application as a whole by modeling the application from source code to cloud.
Manage risk & remediation with tools for reducing noise and prioritizing the riskiest issues first.
Tailor the developer experience to meet your security needs.
To learn more about our new features, check out the on-demand SnykLaunch presentation from June 7th, 2023