SnykLaunch Oct 2024: Enhanced PR experience, extended visibility, AI-powered security, holistic risk management
2024年10月8日
0 分で読めますAfter almost a decade in business, we’ve had the opportunity to watch the software development industry change dramatically. Developers work with more moving parts than ever, relying on technologies like third-party resources and AI coding assistants to release sophisticated software on tight deadlines. While we’ve been talking about the relationship between development and security for the past decade, the DevSecOps conversation has shifted quite a bit.
For one thing, development teams need solutions that work seamlessly with increasingly complex environments. This level of developer accessibility must go beyond training for platforms or user-friendly security interfaces; it needs to give them pathways to security without requiring them to leave their existing workflows.
Security teams also need to consider how they are securing emerging technologies like AI-generated code. The sheer volume of AI code and its specific vulnerabilities require new techniques. In addition, security teams need holistic visibility to get a good look at the security posture of these moving parts and prioritize which activities matter most based on actual risk to the business. Prioritizing vulnerabilities in isolation and by generic scores (e.g., CVSS) no longer works when so many factors are in play.
Snyk’s latest product releases have tackled the above challenges with new ways to gain a holistic view of AppSec, prioritize risk, address AI code concerns, and integrate directly within developers’ workflows. Read on to learn more about these exciting updates and watch the full on-demand DevSecCon presentation.
Developer experience
Developer-first security has been a cornerstone of the Snyk experience from day one. We believe equipping developers with the tools to make security fixes from within their existing workflows is essential for today’s organizations. Anything less will only add work, making the development and security teams’ jobs more challenging. Today, we continue to build on this central idea with enhanced features for an even better developer experience. Our newest additions include:
Issues summaries in pull request comments
Pull requests are a strategic enforcement point in a secure development practice. We have offered security testing at pull request for some time now. Our enhancements in this area aim to save time and reduce context switching for developers. PRs will include even more information and actionability for developers directly within the pull request, starting with a summary of security issues that will populate within their software configuration management (SCM) platform, summarizing issues by severity.
Customizable PR templates
In addition, we are now offering the ability to customize the PR title, description, and commit message. When Snyk fixes or upgrades your Open Source and Container Projects, it automatically creates pull requests to your repository. Now, you can easily tailor these PRs to match your team's specific standards and preferences.
What can you customize?
title
Add a unique prefix, like “SNYK:”
commit_message
Customize the commit message format to align with your team's conventions.
description
Add additional context, link to relevant documentation, or even include a checklist of tasks.
You can customize PR templates using our API or a simple YAML file. With pull requests at the heart of developers' workflows and a key point of collaboration with many teams outside of development, the information shared must be standardized and easy to consume. Snyk's new customizable PR templates align Snyk-generated pull requests with your organization’s specific standards, practices, and communication preferences. You can specify the title and description, which security details to share, and even JIRA ticket information, all to match what your developers' expect to see in their PRs.
Find out why developer experience is so critical and how Snyk enables a more streamlined developer experience with our newest features.
Extensive visibility
We are also up-leveling the visibility that security leaders have over their organization’s risk posture. Snyk has broadened its reporting and analytics functionality with the launch of Snyk Analytics. It offers the data analysis tools and framework needed to effectively measure the health of your application security program across the entire organization and to understand which strategies will be most impactful for improving overall risk posture. Snyk Analytics offers the following:
Developer analytics, for understanding shift-left behavior across teams
Issue analytics, for quickly understanding your overall risk exposure and progress in resolving or preventing that risk, by drilling into your most important metrics on critical and high-severity issues
Application analytics, for looking at security trends such as the statuses of open issues, control coverage, repository metadata, and imported assets
As part of our Snyk Analytics release, we are also introducing integration with Snowflake AI Data Cloud, helping teams bring unique developer security analytics from Snyk into business intelligence dashboards. This new integration offers the ability to view analysis-ready Snyk data alongside your existing security data from other sources within Snowflake, providing the context for you to make holistic, strategic decisions.
AI everywhere
AI is already a key part of today’s development lifecycles and will continue to become more commonplace. So, developers need security tools that align with the speed and volume at which their AI-generated code enters repositories. Security that slows them down defeats the whole purpose of using AI: to speed up software development and save valuable time. We are continuously enhancing our AI security offerings, including recent releases such as:
Snyk Code’s DeepCode AI fix (now GA)
Now, all Snyk users can leverage AI to fix AI, enabling developers to secure their AI-written code at top speed. Our DeepCode AI engine integrates multiple AI models trained on security-specific data and human input from top security researchers to move at the speed of emerging technology without any drawbacks. It offers over 80% accuracy and only takes two clicks within the IDE to execute.
AI-powered reachability
We also leverage AI to offer accurate reachability. Snyk analyzes your codebase through data flows, pinpointing the 7% of issues called by your live application either directly or transitively. By narrowing down efforts to the vulnerabilities in production, we enable security teams to stay laser-focused on the issues that matter most and cut back on the noise.
Holistic application risk management
Earlier this year, we further extended our holistic security approach to risk management with the launch of AppRisk Pro. Our risk-based perspective allows smarter prioritization, keeping teams focused on the fixes that matter most while minimizing noise. Rather than just providing isolated insights about vulnerabilities, we bring together the full context of an application, including its architecture, business criticality, and runtime environment.
Updates to our approach for enabling holistic application risk management include:
Risk Score
Including reachability as an aspect of risk makes a ton of sense. However, over-indexing on reachability could cause teams to either focus on issues that don’t pose real threats or overlook significantly risky issues. Ultimately, teams need a broader application context, including factors like architecture, business value, and runtime state. Snyk’s Risk Score brings all these dimensions into a single value, offering insights on risk based on both the likelihood of exploitation and the potential impact.
Snyk has introduced enhancements to our Risk Score, designed to provide organizations with a more comprehensive and strategic approach to managing application security risks. Central to this update is the integration of DeepCode AI-powered reachability analysis combined with other risk factors to inform Snyk’s Risk Score. This capability identifies vulnerable functions within open-source packages that could be exploited by an application's code, even if they are indirectly referenced. By expanding reachability coverage to 90% of high and critical vulnerabilities, Snyk empowers organizations to proactively address potential security threats. Combining reachability with additional risk factors like EPSS ratings, package popularity, and several others makes it simple to determine which issues pose the greatest risk.
AppRisk Essentials
We recently extended Snyk AppRisk Essentials and its application discovery and coverage management capabilities to be included for all Snyk Enterprise customers, at no additional charge. These tools allow teams to gain better visibility into the assets used to build their apps and use policies to automatically manage assets and their coverage by Snyk.
Integrations across the DevSecOps Ecosystem
We are also significantly expanding the capabilities of our application security posture management (ASPM) solution, Snyk AppRisk. All AppRisk Pro users now have access to new third-party integrations, including:
SCM systems, including GitHub, Bitbucket, Azure DevOps, and GitLab
Internal developer platforms (IDPs) and service catalogs, including Backstage, ServiceNow CMDB, Atlassian Compass, Harness, and OpsLevel
Observability tools, including Dynatrace and Datadog
Cloud and runtime security solutions like Sysdig, Orca, SentinelOne, and Crowdstrike.
These new partnerships will enable users to work with an even more complete view of application context, empowering them to continue managing security risks with greater accuracy and efficiency.
Watch the latest DevSecCon presentations
The Snyk team is excited about the additions to our risk-based prioritization, AI security, and developer-first workflows. We are proud to continue supporting teams in developing fast while staying secure.
Learn more about these enhancements by watching the full DevSecCon presentation on demand.