Skip to main content

Snyk's AppSec journey in 2022

著者:

Jason Lane

Frank Fischer

wordpress-sync/feature-snyk-appsec-blue

2023年1月11日

0 分で読めます

Coming off a rough and wild end to 2021 with Log4Shell in all our minds, Snyk jumped out of the gates quickly and began providing the AppSec world with new capabilities that did not disappoint. In this blog, you can review most of the key investments we made in 2022 to improve performance, add new ecosystems, and support the enterprise.

Scale, performance, and availability

Snyk has seen tremendous growth! In 2022, we saw over 600% growth in the number of projects protected by Snyk Code and 500% growth in projects monitored by Snyk Open Source. Thank you for trusting Snyk to help secure your applications. It gives us energy to push on.

Snyk continues to grow exponentially. In 2022, we’ve taken steps to prepare for this. For example, the mechanism in Snyk Code used to communicate between the client and the scanning engine was rearchitected. In principle, the scanning engine consists of two parts: A file server that makes sure to collect all necessary files of the repository and in the version to be scanned and the analysis server that streams the sources from the file server and provides the analysis back. Snyk Code is extremely fast but the majority of time for a scan is spent in the first part of this process. Any optimization in this step directly benefits the user.

We improved the architecture of the file server and the collaboration of the file and analysis server to improve performance and stability. As an example, large mono-repos which are applications held in a single and large repository pose a challenge for SAST systems as they have to copy large amounts of data to provide a meaningful scan. The new version of the Snyk Code engine introduced major improvements and is capable of scanning even the largest mono-repos fast and accurately. By the way, to take advantage of the new Snyk Code engine, there is nothing you have to do. It is automatically used moving forward.

Another interesting addition is that the new Snyk Code engine performs interfile analysis beyond two files. Snyk Code is capable of following the data flow in an application through various files and detecting issues that span large parts of the application. This is of major interest to users of languages like C# or Java as these languages tend to use deeply nested files.

Snyk Code already changed the game in the SAST world, running 10-50x faster than other tools. These optimizations and engine improvements in 2022 continue to push Snyk Code forward and bring the full power of Snyk’s SAST capabilities to developers at every point of the SDLC.

There are more new abilities being built atop \ this new engine to be released in 2023, but this will be a present to have a good start into for the coming year. Stay tuned.

New ecosystems

Maven

In March, we released a new version of the dependency resolution mechanism for Maven SCM projects, which significantly improved the accuracy of the dependency graph that Snyk detects for Maven projects imported from Git. Users saw more accurate packages and versions in their Maven projects. For example when using frameworks such as Spring Boot and Jackson that make use of dependencyManagement in Bill of Material poms to manage versions. As an added bonus, the new resolver is more efficient than the old method, meaning projects should test faster and with a massively reduced chance of timing out.

C/C++

April was an exciting time for Snyk Open Source as we completed the first tech integration to come out of the FossID acquisition that we did the previous year. Through this acquisition, we added the ability to find unmanaged open source libraries for C and C++.  This addition is the first of many new features for this ecosystem, but we already started to make impacts in the world where software meets hardware, which is where these languages are primarily used.  These are the base languages for most applications and over 6 million developers code with them every day. We also added support for C and C++ dependency scanning via most of our existing IDE integrations, including Jetbrains, Visual Studio Code and Visual Studio. This is critical for developers who want to find and fix security issues before they even get pushed up to the branch.

Nexus

In July, the Snyk Open Source team released an integration for Nexus Repository Manager 3.x. This new integration is functionally similar to the previous Artifactory integration. When configured, it enables Snyk to resolve all direct and transitive dependencies of packages hosted in Nexus when testing Maven projects that were imported from Git to calculate more complete and accurate dependency graphs. Snyk also uses this integration to access private dependencies when creating pull/merge requests, and update npm/yarn lockfiles using the correct URLs. The integration is available on Enterprise plans.

Gradle

While 33% of Snyk users have been successfully testing Gradle 7 projects, we did not have official support for it, until now. Snyk Open Source now officially supports Gradle 7(and all minor versions)  in the Snyk CLI. Customers can now confidently run snyk test and snyk monitor in these projects, and see the complete picture of their dependencies, vulnerabilities, and license usage.

Go

In September, we significantly improved our match rate in Snyk Open Source for licenses in Golang CLI scans. Customers have seen far fewer dependencies missing license information in these scans, and instead the dependencies have the correct license assigned. The improvement will vary from project to project. In an open source Golang project we tested, license coverage for a Go CLI scan went from 6% of dependencies before to 93% afterwards. This is a huge step forward for this ecosystem.

More on the way

In 2022, we continued to extend Snyk Code to communities such as PHP, Go, Ruby or APEX.  We added languages to a Snyk Code closed beta and are working with the selected beta customers. Also, we prepared other languages to get to closed beta soon. We have a long list of new languages and ecosystems in the queue for general availability in 2023. In Snyk Code, we use human-guided ML on top of our training set of 120 to 150 thousand open source projects per language. We are learning from the knowledge of the global open source community.

Snyk AppSec in the enterprise

Another focus for Snyk in 2022 was working in large enterprise environments. The sheer size and the diversity of technologies, situation and age of the projects means a challenge for the developers, security professionals and management alike.

Among the new and improved ecosystems we mentioned above, our platform team was also busy making it ridiculously easy to use and deploy Snyk, from a new user experience to super powerful reporting and single-tenant deployment options, giving our enterprise customers AppSec super powers.

Snyk Code also landed in the enterprise realm. As an example, we constantly set and broke internal records on how many projects we can automatically import into Snyk Code in one swoop because ever larger customer environments were onboarded. We are talking of significantly more than 20,000 in one night. One customer told us that they tried to deploy an alternative SAST solution for six months. They did not manage to have a single one automatically scanning, gave up, and came to talk to us.

For enterprise customers the changes in Code Agent and Snyk Brokerwere interesting. The Code Agent is a component that enables the Snyk Broker to connect self-hosted code version management systems to the Snyk SaaS. For larger organizations having their own source code management this is a fast, easy and secure way to use Snyk Code as SaaS without installing and maintaining local servers.

On top, Snyk Code data is now available in the reporting. Giving you the opportunity to drill down on individual CWEs over your projects to see when it was introduced or by a simple click drilling down on the source file.

blog-appsec-2022

Last, but not least, a topic we worked on the whole of 2022 was software supply chain security. Snyk Open Source has doubled down on their long history of helping developers find and fix issues in their open source dependencies and released support for creating and scanning modern SBOM formats such as CycloneDX and SPDX.

Looking forward to 2023

As you can see, lots of new capabilities extended Snyk in the AppSec space. We are proud in Snyk to react fast to customer requests and the list above is a testament for this. For 2023, we have a strong and challenging roadmap ahead of us. You will see us invest more effort in the work we started in 2022 like the C/C++ side or the enterprise space. We also have new things on the radar to sustain Snyk as the innovative, fast and reliable app security partner it is today because the world of cyber security does not rest.

The teams behind Snyk's AppSec solution— research, development, security engineering, product management, support, technology field, sales, and marketing — want to thank you for the trust in Snyk and the invaluable feedback you have given us. We want to wish you a successful 2023 without security incidents. We will be there to help you make it so.

wordpress-sync/feature-snyk-appsec-blue

CISOがDevSecOps戦略をどのように変革しているか

現在の状況は、500人の開発者に対してセキュリティ専門家は1人という割合です。セキュリティのプロは、開発者がセキュリティ上の判断を下すためのサポートとして、より意識高く、知識を持ち、協力的に業務を遂行する必要があります。