Announcing new Snyk AppRisk integration with Orca Security

We’re excited to announce a new Snyk AppRisk integration with Orca Security that brings the best of two worlds together: developer-loved, security-trusted application security from Snyk and leading cloud security from Orca. 

This integration is big news for organizations looking to align with DevSecOps and enhance collaboration between development and security teams. By combining Snyk’s developer security platform with Orca’s robust cloud security and visibility, teams can work together to effectively identify, prioritize, and mitigate the top risks to the business, driving faster and safer development cycles. 

Let’s dive into why this integration is important, how it works, and how you can start using it today.

The value of combining developer-first AST with runtime visibility

As applications become more complex and development accelerates with DevOps, cloud, and AI, identifying actual business risk and prioritizing remediation accordingly is increasingly challenging. This can result in misallocated resources and overly strict security measures, frustrating developers and hindering progress. A shared and more comprehensive understanding of application risk is essential to foster collaboration between security and development, a cornerstone of any modern application security program.

Snyk AppRisk, our developer-first application security posture management (ASPM) solution, addresses this by providing holistic visibility into applications. By combining comprehensive application context with a consolidated view of vulnerabilities, Snyk AppRisk enables teams to evaluate risk more accurately. A key component is understanding how the application is running in production, which helps prioritize vulnerabilities based on actual, not perceived, risk to the business. The new integration announced today allows Snyk and Orca customers to use this runtime context to differentiate between vulnerabilities and application assets that are actively deployed in runtime versus those that are not. 

Leveraging this broad application context to guide developer actions with clear prioritization and remediation advice early and throughout the development lifecycle is crucial. This can’t happen if developers are forced to use security tools that are too slow, inaccurate, or difficult to integrate. While such tools may be good enough to meet compliance or regulatory requirements, they fail to enable developers to proactively prevent and fix vulnerabilities. Combining Snyk’s developer-friendly security tooling with a holistic understanding of the application ensures developers have the context they need to fully understand the risk posed by any given vulnerability as well as the priority assigned by the security team, streamlining remediation and improving collaboration between the two teams.

Setting up the Snyk AppRisk and Orca integration 

The integration between Snyk and Orca is designed to be seamless and user-friendly. To set it up, access the Integrations page in Snyk AppRisk and select Orca Security (only available for Snyk AppRisk Pro customers). Fill in the required information. As seen below, you’ll need an Orca API token:

Once the integration is set up, Snyk and Orca customers can leverage the best of both platforms to gain better visibility into application risk to streamline prioritization and remediation workflows. 

Using Orca’s runtime context in Snyk AppRisk

For Snyk AppRisk Pro users, Orca’s runtime context enhances two key risk management workflows: coverage management and prioritization.

Snyk AppRisk’s asset discovery capabilities help users gain a view of the different app assets being secured — or needing to be secured — by Snyk’s AST tools, including code repositories, packages, and, of course, container images. 

The new Orca integration enriches the asset inventory with information on running workloads. This enables users to leverage the asset inventory and runtime data to quickly identify containers that are deployed in runtime but that are not being secured as required by Snyk’s AST tools.

On the Issues page, you can leverage Orca’s runtime context for improved prioritization, using the funnel and filters to quickly identify those vulnerabilities that Orca and Snyk have identified as associated with a deployed container and thus pose a greater level of risk.

Once isolated, the issue can be passed along to the development teams for remediation with the context they need to determine priority, identify the source, and apply a quick fix. 

Using Snyk’s AST findings within Orca

Orca Security’s platform offers customers unprecedented visibility into cloud risks, including infrastructure misconfigurations, workload and application vulnerabilities, API exposure, data exposure, and more. Additionally, Orca offers the ability to trace risks from cloud environments to their originating code stored in git repositories to enable development and security teams to quickly understand the source of vulnerabilities or misconfigurations, thus promoting effective risk mitigation. 

Another integration between Orca Security and Snyk enables the correlation of running containers and their associated risks directly to the relevant Snyk projects within the Orca platform. Thus, a user could view a container deployed in a runtime environment and trace the risk to Snyk.