Skip to main content

SnykLaunch recap: Snyk Cloud, SBOM & reporting capabilities, and customer solutions resources

Escrito por:

Ravi Maira

wordpress-sync/blog-feature-snyklaunch

8 de novembro de 2022

0 minutos de leitura

At SnykLaunch on November 8th, our product leaders unveiled the latest additions to Snyk’s suite of developer-first products. We also gave viewers a sneak peek of these new features in action with live demos. We’re especially excited to announce Snyk Cloud, our cloud security tool that takes a contextual approach to finding and fixing cloud vulnerabilities. Everything we released centers on our ultimate goal — empowering teams to find, prioritize, and fix security vulnerabilities with developer-centric tools.

As we approach the end of 2022, identifying and responding to application risk looks different than in past years. For one, development is moving faster than ever. Developers outnumber security teams by a larger ratio with each passing year. As a result, the need for shared security responsibility has grown exponentially.

Software supply chains are growing in complexity as well. The industry relies heavily on third-party code, infrastructure as code (IaC), and cloud services. So, the focus of a true end-to-end security approach goes beyond proprietary application code, to encompass  the infrastructure, cloud, containers, and open source components behind the scenes of that application as well.

Most recently, there’s been a shift towards cloud as code. It’s no longer up to IT teams to provision and maintain infrastructure. Instead, developers hold much of the responsibility for upkeep in a cloud infrastructure — which is why developers need to understand the full scope of their application, and incorporate a holistic cloud security tool into their SDLCs.

With all of these shifts in mind, we’re always looking for ways to make the lives of development, security, and engineering teams easier. Our newest additions focus on maintaining a software bill of materials, remediating cloud vulnerabilities in the context of IaC, producing more detailed reports, and supporting teams throughout their security journey.

wordpress-sync/blog-snyk-launch-issues-configuration-scaled

SBOM tools

Today’s applications get “assembled” rather than built from scratch. Teams often choose to use open source components in their applications, rather than writing everything from scratch. With this increase in open source comes a significant increase in third-party risk. So, it’s no longer just a “good idea” to maintain a software bill of materials (SBOM) and keep a close eye on third-party dependencies. At this point, an SBOM is essential. And not just any SBOM, but one that’s visible to the right teams, interoperable, and integrated into the proper contexts.

Because of this, we’ve increased our support for SBOMs by enabling teams to create and scan them for vulnerabilities within minutes. We’re introducing three new SBOM solutions, including

  • SBOM API & CLI – Generates SBOMs within Snyk’s developer-first API & CLI tooling, documenting direct and transitive dependencies.

  • SBOM Checker – Free web tool that checks SBOMs for vulnerabilities — no Snyk account required.

  • Bomber 0.3.4 – An open source project for scanning SBOMs for vulnerabilities. Snyk is a supported provider, so Bomber can pull vulnerability information directly from Snyk Vulnerability Database.

A cloud security tool with IaC context

We also unveiled the newest addition to our product suite, Snyk Cloud. Historically, cloud security tools have focused on identifying vulnerabilities after release, forcing developers to backtrack to remediate them. Instead, we support a proactive approach to cloud security — finding and fixing vulnerabilities as early as possible in the software development life cycle.

Typically, it’s difficult to accurately identify cloud security vulnerabilities early in the development process, because separate tools are required for IaC analysis and live cloud checks, each with their own rulesets and findings. Teams are often overwhelmed by these separate cloud security tools because they produce too much noise from misconfigurations that may or may not apply to their environment.

wordpress-sync/blog-snyk-launch-cloud-env-list

To address this “noise” problem, Snyk pairs IaC with live insights from your cloud to provide context. Our unified policy engine enables Snyk Cloud to account for live cloud state when analyzing IaC to prioritize important fixes and rule out irrelevant alerts. Cloud teams can see security issues from both the cloud and IaC and guidance for remediating them. And cloud security experts have one central policy engine to manage, which puts security and developers on the same page and prevents confusion or redundant work.

With the addition of Snyk Cloud, our product suite now offers complete coverage for applications. Snyk scans your code, containers, third-party dependencies, and cloud infrastructure and provides detailed reports and suggested remediation steps right from your dashboard. Additionally, our unified policy as code engine empowers security teams to increase automation and reduce noise by establishing a single source of truth for cloud policy.

New reporting capabilities

Our product team also demoed our new reporting features at SnykLaunch. We developed these new features in response to an industry-wide need for excellent security visibility that was manageable, without missing any significant data. Our acquisition of TopCoat enables us to improve our existing reporting capabilities. We now offer deeper drill-down and wider big-picture views of vulnerability data. With this new span of data reporting, our customers can produce reports such as:

  • Issue detail report, filtered by team/business unit

  • Issue summary report, drilling into trends over specified time ranges

  • Risk breakdown report, highlighting groups within your organization that have pockets of risk, whether introducing new risk or reporting high MTTR.

wordpress-sync/blog-reporting-open-beta-snyk-UI-1

We’ve also added additional fields that can be exported, including metadata like package names. Thanks to these reporting updates, Snyk customers now have the flexibility they need to explore Snyk's data at any level of granularity. With our new reporting capabilities, they can better prioritize remediation efforts, monitor success, achieve and prove compliance, and produce better reports for key stakeholders.

Snyk’s customer solutions offerings

Additionally, we announced new services for boosting customer success with ongoing support. We’ve released new self-service resources — including self-paced courses for implementing our products, managing/configuring them, and using them to find and fix issues — and pulled all user resources into a convenient, central hub to make it easier to find information quickly.

We’re also offering additional services that provide live expertise for Snyk users. Kickoff sessions and office hours are available as general support for new or existing users. We also now offer more personalized support through two different tiers of services — Snyk Accelerate for implementation guidance, and Premium Care for ongoing consultation.

Watch SnykLaunch on demand

We’re very excited about all of the innovation happening here at Snyk, and are proud to lead the charge of proactively remediating risk across the entire software ecosystem. We especially look forward to seeing how our users leverage these new features to create secure applications.

Be sure to check out our on-demand recording of SnykLaunch to see these new features in action, and hear more about our approach to developer-first security. And don’t hesitate to reach out to our product team with any thoughts or questions!

wordpress-sync/blog-feature-snyklaunch

Quer experimentar?

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.