Snyk AppRisk Pro: A holistic approach to application risk management
Daniel Berman
1 de maio de 2024
0 minutos de leituraWe're thrilled to announce the availability of Snyk AppRisk Pro — our latest application security posture management (ASPM) offering designed to help enterprises manage and scale their application security programs with Snyk!
Snyk AppRisk Pro ships with a range of innovative, ecosystem-driven capabilities alongside new analytics tools, providing comprehensive application risk management with Snyk. These capabilities amplify the three core pillars in Snyk AppRisk: application visibility and discovery, security coverage management, and risk-based prioritization, together empowering security and development teams to collaborate more effectively in managing application risk for their business:
Runtime intelligence: Snyk has partnered with leading security and observability solutions such as Dynatrace, SentinelOne, and Sysdig to enable security teams to leverage runtime context to assess and manage risk.
Developer context: Snyk AppRisk users can now use unique development context to streamline coverage management & prioritization thanks to industry-first integrations with development platforms, such as Backstage and Roadie.
Extended security coverage: New integrations with secret detection tools such as GitGuardian and Nightfall AI and additional AST tools extend the visibility of Snyk AppRisk across application security programs
Application Analytics: A new data analytics capability offering AppSec teams a comprehensive overview of their AppSec program at a macro level, facilitating tracking, measurement, and reporting on program performance and risk KPIs.
These capabilities are now available in Snyk AppRisk Pro! To find out more, join our live webinar or explore our product documentation.
Closing the divide in app perspectives
While embracing “shift left” with Snyk has led to significant ROI for our customers by reducing application risk and enhancing developer productivity, we recognize there's still ample opportunity to enhance collaboration between security and development teams by fostering a shared understanding of application risk.
Developers typically possess deep knowledge of their own code and dependencies, but their focus often extends only to the specific parts of the app they are actively working on, such as a single API or service. On the other hand, security teams have a broader view, responsible for securing all apps under development. However, they lack assurance that developers are consistently scanning these apps and may overlook critical areas of the app.
Even with apps undergoing continuous scanning across the SDLC, both teams lack the context required to understand their risk profile fully. Key questions arise regarding the app's architecture, environment, and business importance, influencing prioritization decisions.
The lack of context, combined with overflowing vulnerability backlogs, often leads to the implementation of rigid security measures that hinder development progress and frustrate developers. This approach results in blind spots in security coverage, exposing businesses to unknown risks.
To scale application security programs effectively, security and development teams must align their perspectives on apps so they can collaborate effectively on identifying, prioritizing, and reducing real risk to the business.
This is precisely why we’re excited about the new capabilities in Snyk AppRisk Pro, which introduce a range of new, industry-first ecosystem integrations designed to provide this context!
Enter runtime intelligence
Not all the code written by developers is actually used by the application in its running state. For example, an open source package included as a dependency during development might not actually be loaded into the application’s memory at runtime. From a security perspective, this runtime context is critical as it informs upon the level of risk posed by a given vulnerability. It can significantly impact the developer's experience, differentiating between a situation where they're burdened with addressing a false-positive and one where they're empowered and confident, understanding the priority at hand.
Snyk AppRisk now provides customers with this essential runtime context!
Building on top of the January acquisition of leading runtime data pioneer Helios, Snyk AppRisk now integrates with leading security and observability solutions, such as Dynatrace, SentinelOne, and Sysdig, to enable security teams to accurately assess the risk posed by vulnerabilities. For example, using this runtime context, security can now distinguish between open source vulnerabilities that are deployed or loaded to memory in runtime and those that are not. With this clearer understanding of an application's runtime behavior, security teams can better work with developers to focus their resources on addressing vulnerabilities that pose the greatest risk to the business, ensuring a more efficient and effective developer-first AppSec program.
Within Snyk AppRisk, this runtime context is provided on the Insights page, where security teams can use the funnel view and flexible filtering to hone in on the top risks to the business quickly:
These partner integrations were designed to accommodate various enterprise security and observability setups. If you're unable to utilize these integrations, you can employ Snyk's new, eBPF-based runtime sensor to extract runtime context into Snyk AppRisk. More information on this sensor is available here.
Unlocking development context
To help customers manage risk effectively, Snyk AppRisk discovers all the different assets used to build, deploy, and run their apps. This includes repos, dependencies, containers, developers, and more. These assets are neatly organized in an asset inventory, enriched with additional context from various integrations.
We are thrilled to announce that Snyk AppRisk now uniquely integrates with Backstage and Roadie, further enhancing these assets with invaluable development context!
With the rise of platform engineering, developer platforms are gaining significant traction. According to Gartner, approximately 75% of the market is currently engaging in an active pilot, rollout, or deployment of a developer platform. These platforms, also known as developer portals, are predominantly used by platform, DevOps, and development teams to streamline workflows, encourage collaboration, and enhance productivity across the development lifecycle. Consequently, they harbor a wealth of information about the organization’s applications and development environment, which can also contribute to application risk management processes.
Snyk AppRisk customers can now harness this development context, such as a service’s type, code ownership, and lifecycle stage, to enhance their understanding of applications and leverage it to better align with the perspectives of platform and development teams to improve security coverage and prioritize fixes.
Note: Development context is available in both Snyk AppRisk Essentials and Snyk AppRisk Pro.
Extending security coverage management
We are happy to announce new integrations with GitGuardian and Nightfall AI, extending Snyk AppRisk’s visibility into coverage by secret detection tools to enable more holistic risk management!
Snyk AppRisk acts as a governance layer on top of Snyk’s developer-first AST tools — Snyk Open Source, Snyk Container, Snyk Code, and Snyk Infrastructure as Code — empowering AppSec teams to verify that vital application assets receive proper and consistent security measures.
Yet, we understand that application security programs, particularly in sizable enterprises, may incorporate additional security tools alongside Snyk's risk visibility. With our latest integrations with GitGuardian and Nightfall AI, Snyk AppRisk expands its capabilities to accommodate such diverse program requirements. This enhancement enables our mutual customers to manage security coverage more holistically by verifying the proper deployment of their secrets detection tools.
For a full list of AST tools supported by Snyk AppRisk, visit our product documentation.
Measuring program success
We’re excited to announce the availability in Snyk AppRisk of Application Analytics, a new advanced reporting capability offering AppSec teams a comprehensive overview of their AppSec program at a macro level, facilitating tracking, measurement, and reporting on program performance and risk KPIs.
One of the main challenges facing AppSec teams involves assessing the efficacy of their program in reducing application risk. Many teams focus on counting and reporting the number of vulnerabilities fixed over time and the mean time to resolve. But these metrics do not always tell the full story. While capturing actions taken for parts of the app teams are aware of, what about the parts they are unaware of and are not securing? Moreso, just tallying the number of vulnerabilities fixed fails to measure actual risk reduction.
With Application Analytics, AppSec teams can access a wide array of key performance indicators (KPIs) related to issues, coverage, and assets. These KPIs can be examined from two viewpoints — asset perspective or application perspective. This allows AppSec teams to gain a comprehensive understanding of their program's effectiveness. Enriched with application and business context, these KPIs help teams evaluate program success more precisely, fine-tune strategies, and offer executive stakeholders a clearer view of overall ROI.
For instance, users of Snyk AppRisk can promptly identify the key assets needing attention, considering their significance to the business, associated risk levels, and the number of unresolved issues. They can also assess coverage gaps across various assets and evaluate the program's efficiency in mitigating them. By monitoring the introduction of assets over time, Snyk AppRisk users can determine whether a decline in coverage or an uptick in introduced issues can be accounted for.
For more information on Application Analytics, visit our product documentation.
Continued Snyk AppRisk momentum
Snyk AppRisk was crafted to foster stronger collaboration between security teams and developers, aligning their viewpoints on applications, risk, and the remediation process. The innovative enhancements unveiled today significantly boost the visibility required to cultivate this shared understanding.
Looking ahead, we will continue to focus on further enhancing this visibility by incorporating additional context, integrating new data sources, and developing tools to empower both teams to leverage the provided context to improve risk prevention and remediation workflows. To truly deliver upon the promise of ASPM, context must be built into developer workflows to guide developer action with the least disturbance to the development pace. Stay tuned for more updates on this area specifically!
Snyk AppRisk Pro is now available! Visit our Snyk AppRisk product page, view the product documentation, or sign up for our live webinar to learn more!
Unlock DevSecOps with Snyk
Overcome application complexities and AI hallucinations while fostering collaboration between dev and sec teams with insights from Snyk and Accenture.