Snyk has expanded its DevOps vulnerability scanning and fixing tooling to the Red Hat OpenShift enterprise application platform, allowing developers to integrate security checks into the entire development and deployment process, the company announced at the virtual Red Hat Summit taking place this week.
“The code and containers running on OpenShift can come from anywhere especially when you pull in open source components and container base images from public registries,” said Jim Armstrong, Snyk’s product marketing director for container security. “Developers are ultimately tasked with fixing security issues in all these layers, so Snyk and Red Hat’s integration of developer-focused security fixes built-in to developer tools and the leading enterprise Kubernetes platform make it easy.”
Snyk‘s security tools will help Red Hat customers in two ways: to offer consistent scans and fixes for code and applications as they are updated and deployed in OpenShift clusters. Red Hat’s CodeReady Dependency Analytics, part of the company’s CodeReady portfolio of developer tools, now also relies on the Snyk Intel vulnerability database for analysis of open source tools and dependencies.
Snyk’s mission is to help to automate the process across the entire application lifecycle of discovering and offering fixes in open source code dependencies, containers and Kubernetes. Snyk consistently scans, tests and communicates how different fixes should be prioritized and provides other information. The scanning process also continues consistently after workloads have been scanned, and in some cases, fixed, as new code vulnerabilities emerge, whether when the code is on a git repository or after it is deployed.
This capability is now available for DevOps teams to use for their OpenShift containers and applications. The integration also means DevOps teams can use Red Hat CodeReady Dependency Analytics to discover and fix vulnerabilities in real-time as they are added to Snyk’s database.
The combination of OpenShift and Snyk provides developers with security at the infrastructure and the application level, Torsten Volk, an analyst for Enterprise Management Associates (EMA), said. “This is key in a world where we are trying to release applications at an increasingly faster clip and provides some nice extra value for OpenShift as a DevOps platform,” Volk said.
Developers and security teams working on the OpenShift platform need to ensure the code and applications is secure, while at the same time making sure fixes and remediations remain ongoing and consistent.
At the same time, the OpenShift’s capabilities for developers are also extended with the Snyk integration. “OpenShift provides flexible application deployment models, and the platform handles most of the building and deployment for you. OpenShift also offers the ability to run any containerized applications, either straight from the container or via Kubernetes configurations and operators,” Armstrong said. “Either way you go, it’s important to stay on top of the latest security updates for all the open-source components you include in code as well as the containers.”
The continued vulnerability testing and remediation — as vulnerabilities surface, whether during the development or deployment cycle — on OpenShift are also critical. “There are always new vulnerabilities, and container images need to be refreshed regularly to include the latest fixes. Snyk provides this visibility across the software development lifecycle, including monitoring the running workloads in the OpenShift clusters,” Armstrong said.
Red Hat also has placed a lot of trust into Snyk Intel’s vulnerability database. “With Snyk Intel integration, Red Hat CodeReady Dependency Analytics helps developers find and fix vulnerabilities in their application stacks directly from their IDE, even before the build stage of their pipelines,” Red Hat’s Parag Dave, product management, OpenShift Developer Tools, said. “This self-service capability increases the efficiency of the DevOps cycle and can help address vulnerabilities with reduced time and effort.”
In addition to the self-service capability, Snyk’s source code composition analysis can be added to the CI pipeline tasks on OpenShift, representing an additional way Snyk can help to expand OpenShift’s capabilities for developers, Dave said.
The integration with Snyk will also help developers automate security analysis as they build their applications on OpenShift. “We will continue to expand our developer experience on OpenShift and integrate the capabilities of CodeReady Dependency Analytics and Snyk Intel to help developers find and address vulnerabilities in their application stack in various ways directly from OpenShift,” Dave said.
The adoption of Snyk is also seen as a way to help enable DevOps to integrate security throughout the entire development in a way that also does not disrupt the need to deploy at faster cadences. One of the key findings in Snyk’s DevSecOps Insights 2020 report, for example, was that 48% of those surveyed said security impeded the ability of DevOps teams’ rapidly develop and deploy applications.
Snyk’s integration with OpenShift is thus part of Snyk’s overall mission to help development teams find the best compromise between using existing open source libraries and container images to deliver more with less while at the same time keeping their application at an acceptable level of security and compliance, Volk said.
“This constant seeking out of the best compromise between optimal productivity and optimal security constitutes an ongoing source of stress for developers as they have to continuously assess the cost of plugging specific vulnerabilities compared to the probability and impact of an actual exploitation of these gaps,” Volk said. “Snyk telling developers whether or not to worry about certain vulnerabilities within their own very specific application context provides piece of mind while still minimizing the effort spent on patching these problems.”
Snyk and Red Hat are sponsors of The New Stack.
Feature image via Pixabay.