Why developer-first security is needed from the start, from DevSecOps pioneer Snyk
Developers (and, thus, organizations) are increasingly relying on open source code due to its ease of use and collaborative, evolving, flexible, cost-effective nature. By one estimate, 78% of code in codebases is open source.
At the same time, it is at risk due to a slew of security issues: At least 81% of codebases with open-source components contain at least one vulnerability.
This has given rise to DevSecOps, a method that introduces security earlier in the software development lifecycle.
“Software applications are built with developers acting as part of a modern assembly line, where they create applications by re-using software code from many places,” said Peter McKay, CEO of developer security platform Snyk. “Consequently, that means any piece of code they use could contain security issues.”
Event
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
To bolster its platform empowering developer participation in the security process, Snyk this week announced a $196.5 million series G funding round. This puts the company’s valuation close to $7.4 billion.
“In the creative process, developers should not have to worry about security issues,” said McKay. “They need flexibility, efficiency and peace of mind to do their best work.”
Putting security in the hands of developers — now
Developer-first security makes tools available to development teams by enabling scanning, testing and remediation within development environments.
The concept is quickly gaining traction, with the DevSecOps market size expected to reach $23.4 billion by 2028, up from $2.5 billion in 2020. Top companies in the space include Mend (formerly WhiteSource), Veracode, Lacework, Sysdig and Crowdsec.
As McKay noted, security concerns are further compounded by the fact that “the role of the developer is becoming an even greater piece of the success puzzle for an organization.”
Amid the struggle to hire strong cybersecurity talent, the global developer count is set to grow to 45 million by the end of the decade (there are currently an estimated 24.5 million developers).
“We can’t simply hire our way out of this crisis — we need to put security in the hands of developers right now,” said McKay.
Security embedded into development lifecycle
Snyk — which says it pioneered developer security — helps remove security issues that would otherwise impede development, said McKay. And this in a way that doesn’t slow developers down.
The Snyk SaaS platform enables developers to identify vulnerabilities and license violations in open-source codebases, containers and Kubernetes applications. Users connect their code repository — GitHub, GitLab or others — to access a vulnerability database where Snyk can identify and describe a problem, point to flaws and suggest fixes.
While new security tools and checks can slow down the development process, thus making developers wary, Snyk helps to accelerate the process because it embeds security into the development life cycle, meaning and IT workflow. Also, the company says its platform incorporates “the very latest” in security intelligence.
Ultimately, helping developers build stronger security programs lets them focus more attention on their own innovation and priorities, said McKay.
Forever changed by Log4j
It’s not an understatement: The software supply chain was forever changed by the Log4j vulnerability last December, said McKay.
“That watershed moment put a spotlight on the vital need for developers to use security tools to identify vulnerabilities in their projects,” said McKay.
As more vulnerabilities were discovered and patched in ensuing weeks, Snyk quickly added a “Critical Severity” alert to its vulnerability database and customers began to fix it, he explained. Developers were empowered to take control of vulnerabilities as they caught them, then add them to the Snyk database within hours of discovering them.
In the end, he pointed out, cybersecurity is all about education and collaboration.
Organizations must get up to speed on best practices to secure their software development lifecycles, he said. They need to build out inventories, or software bills of materials (SBOMs), that outline exactly what is contained in each application they build or sell.
Also, they must heed the guidance of industry and government (for instance, recent White House directives around SBOMs) that advise them to closely watch what is assembled within applications they build and/or use.
“On the collaboration front, organizations need to make sure their development, IT, and security teams all work together without getting in the way of each other,” said McKay.
Fixing flaws in a supply chain in real time before hackers are able to capitalize on them can mean preventing a catastrophic event like Log4j, he said.
“Companies need to embrace developer security operations cultures where developers, security professions and operations teams develop strong collaboration and work together to discuss, spot and fix vulnerabilities before damage strikes,” said McKay.
