Bolstering Snyk's developer security platform in 2022
Daniel Berman
2023年1月9日
0 分で読めます2022 was another record-breaking year for the Snyk platform.
Helping an ever-growing number of customers find and fix issues across all the components making up their applications, the Snyk platform enabled over 2,500 customers during 2022 to import over 6.7 million projects, execute over 3 billion tests, and fix over 5 million issues!
Behind the scenes, Snyk’s Platform R&D teams continued to develop and strengthen the platform’s modularity, extensibility, consistency, scalability, and of course — security. These foundations ensure the rapid delivery of new functionality across the Snyk platform without compromising over performance and resiliency.
2022 was also a year of innovation for the Snyk platform, with a series of new platform capabilities demonstrating a continued investment in providing users with an optimized and shared experience across all the elements making up the Snyk’s developer security platform, as well as enabling customers and partners alike to extend and customize Snyk to fit into their custom workflows.
Let’s take a closer look at some of these 2022 platform highlights.
Making it ridiculously easy to work with Snyk
Providing an optimized user experience is a crucial component of how we envision developer security and thus continued to be a key area of focus for us in 2022.
With a goal of making it as easy as possible for both development and security teams to use the Snyk platform as part of their day-to-day security processes, we introduced a brand new user interface, incorporating standardized UI components, an updated color palette, and other elements to help our users get even more from Snyk. Noticeable changes include a vertical new sidebar, breadcrumbs-based navigation, and new group and organization switchers.
Major performance improvements were introduced to some areas within the Snyk UI, which had previously caused some frustration among customers. To improve performance on the Projects page, for example, we added pagination and the ability to organize projects more easily, improving page load time by up to 90%!
From a user management perspective, we made it easier for larger organizations to apply a least-privilege permission model with the introduction of RBAC-based custom roles. Snyk group admins are now able to create their own customized user roles and assign specific permissions to them. This ensures the right people have the right access to the right resources at the right time, all in alignment with the internal structure and access policies within the organization.
Providing enhanced security visibility
Access to security data and the ability to analyze and report on that data, are key for gaining the visibility necessary for an effective security program built on confidence and trust between development and security teams. Snyk’s recently announced new reporting capabilities were designed to provide our users with this type of visibility and are really just the beginning of a major overhaul being implemented to Snyk’s entire data services.
Just in case you missed the headlines, these new capabilities include, first and foremost, a brand new reporting user interface and improved performance and data latency, making it extremely easy to access, analyze and share Snyk’s security data. Importantly, the new reporting includes Snyk Code (first-party SAST issues) data, meaning users now have comprehensive coverage across all the components of modern applications in one central location. The new analysis capabilities, with extensive new filtering, data sorting options, and built-in reports, enable different stakeholders and different teams to get the answers they need to whatever security question they might have.
Since being announced, we’ve seen wide adoption among our customers, and are learning of new ways that Snyk’s security data can be leveraged for developer security. To learn more about these use cases and best practices, take a look at this blog post.
Providing best-in-class security intelligence
In 2022, Snyk strengthened the research methodologies used by its dedicated team of security experts, improved the automated AI-powered processes responsible for intelligence curation, and continued to work closely with the community and academia to disclose and enrich vulnerabilities.
All this translated into the discovery of 1100+ zero-day vulnerabilities. 90% of these were malicious packages that can be used for supply chain attacks and that were identified using Snyk’s malicious package identification engine. Our collaboration with the community and academia helped uncover 180 distinct vulnerabilities in popular open source packages.
To help our customers prioritize fixes more efficiently we also introduced additional metadata to vulnerabilities. We added hand-curated, vulnerability-specific, prioritization and remediation context to specific vulnerabilities prevalent among our customers:
Vulnerability Prerequisites are the characteristics that define the environment or configuration in which a vulnerability can be exploited. In the example below, a critical severity vulnerability can only be exploited if deployed to a Windows-based server. If deployed on a Linux-based server, the vulnerability cannot be exploited, and therefore can be de-prioritized.
Alternative Mitigation Advice provides an example of how to mitigate a threat when updating packages/container images is not an option.
And last, understanding that different organizations rely on different CVSS analysis methods, we added multiple CVSS scoring to vulnerabilities such as NVD, Red Hat, and others. CVSS scores by additional software vendors and research groups will be added throughout 2023.
Extending Snyk into more workflows
Providing our customers and partners with an easy way to extend the Snyk platform to fit into various custom tools and workflows is part and parcel of our vision for developer security. Over the past year, we strengthened the core building blocks of Snyk’s extensibility, introducing a new REST API, improving our model for building Snyk Apps, and announcing Snyk’s TAPP program.
The functionality provided by the Snyk platform is backed by Snyk’s API, facilitating the customization, integration, and automation of Snyk’s security as part of any customer or partner workflow. Throughout 2022, we continued the introduction of a new version of our API. Based on the OpenAPI 3 specification, this new REST API was designed to provide a consistent, friendly, and easy-to-use API framework that introduces some major improvements in comparison to the previous API version, including consistent versioning, pagination and caching, and dramatically improved performance. We are gradually adding new endpoints to the new API and expect to migrate the majority of our existing endpoints to the new version by the end of 2023 so users, customers and partners can more easily extend, customize and automate Snyk workflows.
Partially leveraging this new REST API, Snyk Apps, Snyk’s model for building integrations with the Snyk platform, were improved and new Snyk integrations, such as the Bitbucket Cloud app, have been built built in alignment with this framework. Currently available in beta, Snyk Apps are integrations that extend the functionality of the Snyk platform, allowing our partners to create a Snyk experience that suits their customers’ needs. For example, a Snyk App might automate Snyk’s application security testing as part of a build tool. Another Snyk App might stream Snyk’s security testing results into an incident management tool.
Snyk Apps are also at the heart of the new Snyk Technology Alliance Partner Program (TAPP) that was announced in April, enabling application and developer-focused software companies to build, integrate and go-to-market with Snyk solutions. Learn about the latest companies to join the Snyk TAPP initiative, including technology leaders like MongoDB, the Linux Foundation, Trend Micro, Rapid7, VMware and many others. If you're interested in learning more about Snyk TAPP and becoming a partner, fill out this short TAPP Questionnaire to start the process.
Helping organizations comply with data residency
The Snyk platform is provided as software as a service (SaaS), enabling customers to enjoy a maximized return on investment, a quick time to value, and immediate access to Snyk’s innovation. Our multi-tenant architecture leverages state-of-the-art cloud technologies and is designed and operated with extremely high data handling standards, satisfying the security and compliance concerns of the vast majority of Snyk’s customers.
However, we also realize that some organizations have more stringent expectations of security, data residency and reliability. Throughout 2022 we introduced new deployment options to help these organizations use the Snyk platform while also complying with data governance requirements. This started with a new data center in the EU (Frankfurt) and continued with the new data center in Sydney, Australia — new deployment options that ensures customer data does not leave these specific geographical regions. Snyk also introduced Private Cloud, a single-tenant deployment option for organizations needing complete data isolation.
These new deployment options demonstrate Snyk’s continued investment in enterprise-grade security and compliance. Snyk continuously invests in adhering to strict security measures, and is compliant with the EU General Data Protection Regulation, ISO 27001, ISO 27017, and SOC 2 Type II standards. We are fully committed to meeting new data governance and protection requirements as these emerge and are required by our customers.
Doubling down on developer education and learning resources
Developers cannot be expected to be security experts and need to be empowered with educational tools that are embedded into development and are easy to consume.
Snyk Learn — Snyk’s online developer education tool — saw some major improvements throughout 2022 with the addition of new courses that extend coverage for many ecosystems and vulnerabilities. The OWASP Top 10 is fully covered with multiple lessons in many of the OWASP modules. This led to a new feature called Learning Paths. These are a fantastic resource for developers looking to improve their security skills and knowledge. The learning paths are designed to take you on a structured journey with our first path being the OWASP Top 10. More to come in 2023!
Snyk Training launched an award-winning site in 2022 with short self-paced courses to help developers and security teams learn how to implement, configure, and use Snyk. Prospective and new customers can prepare for implementation steps by learning about ways to integrate Snyk, best practices for account structure, and the process to set up single sign-on and user provisioning, along with other key decisions. Organization administrators can learn to set up and manage an organization or learn how to use the default Snyk test on PR automation.
Developer-focused learning also covers working with Snyk in an IDE or the CLI, and our learning paths to help developers find and fix with Snyk Open Source and Snyk Code.
Demystifying vulnerability scanning for regulatory compliance
This year we have seen tremendous growth in the number of businesses pursuing their compliance with regulatory standards like SOC 2, PCI DSS, and ISO 27001. In particular, many of our customers in highly regulated industries (financial services, healthcare, etc) have told us they regularly use Snyk’s vulnerability scanning reports as compliance evidence. We were delighted to hear the feedback that Snyk is making it easier for our customers to respond to audits, so we took the opportunity to create a compliance cheat sheet. This resource maps Snyk features across five key categories (reporting, OSS license compliance management, Snyk Learn, and cloud policy management) to map Snyk’s features to common compliance controls.
Additionally, Snyk launched a partnership with Vanta, the leading compliance automation provider, to make compliance adherence even easier for growing teams. Once Snyk has scanned your apps for thousands of known vulnerabilities, Vanta customers can easily connect their Snyk API to begin populating the scan results into OOTB compliance reports. These reports can be used as evidence for the industry’s most sought after standards such as SOC 2, HIPAA, GDPR, ISO 27001, and more.
Looking forward to 2023
We’re excited to head into 2023. With the foundations of the Snyk platform strengthened, we are confident that the coming year will be extremely impactful for our customers.
Plans for 2023 include continued work on enhancing the shared user experience across all Snyk products, as well significant improvements to all facets of working with the Snyk platform at scale — importing projects, managing them, and reporting upon them. We know prioritization remains a challenge for our customers and so have plans for introducing some changes that will make it easier to identify what issues pose risk vs. those that can be discarded.
On the integrations front, we will continue to invest in making it easier for customers and partners to fit Snyk into their tools and workflows. We will be introducing some exciting integrations with new and existing technology partners, and we will continue to invest in our new API.
So stay tuned for news and happy new year!