Cloud Native / Machine Learning / Security

Snyk Rethinks Static Application Security Testing for Developers

29 Oct 2020 12:20pm, by

The cloud native security software provider Snyk has released a package for “developer-first” SAST (static application security testing). Snyk Code, released at SnykCon last week, fills many of the gaps in existing SAST solutions for developers’ needs for testing open source code, application code, containers and infrastructure as code, the company claims.

“SAST has kind of become the poster child” of what not to do for security solutions for developers, Guy Podjarny, founder and president at Snyk, said during a SnykCon press and analyst conference. As its name suggest, SAST analyzes existing source code, byte code and binaries for known patterns of vulnerability. Snyk Code offers machine learning (ML)-aided security monitoring and remediation in a way that “rethinks development security,” Podjarny said. It improves shortcomings of existing SAST solutions by improving, among other things, speed and accuracy, he said.

Many of Snyk Code’s capabilities draw from Snyk’s acquisition of DeepCode for AI-code analysis of third-party components. “We’re building on our deep engine and speed of analysis, as well as our existing pipeline of analysis of every library and every version that gets released in the world,” Podjarny said.

The following features Snyk said Snyk Code offers include:

  • Developer usability: for scanning source-code as an app is created integrations with git and integrated development environments (IDEs).
  • Speed: Snyk Code is up to “50 times” faster than existing SAST solutions as vulnerability scans are initiated as code is created, thus removing a major time hurdle for many developer teams, Snyk said.

Improvements in accuracy for scanning and remediation are also a major capability Snyk Code offers that, among other things, involves ML-scanned databases to help to reduce false positives.

“We put a heavy emphasis on remediation, so every time we introduce a vulnerability to the developer, we make it as easy as possible to remediate them,” Podjarny said in response to a question during the conference press and analyst conference. The processes typically involves “a single click button” to open a fixed pull request, “where we already create the fixes and we just serve them to the developer,” Podjarny said.

“I do want to emphasize that with this platform view, our service to the developer isn’t to secure their code or secure their open source or secure their container, but rather to secure their app,” Podjarny said. “The developer does that once, and they will now get this type of verification and fixes and monitoring across all of these different aspects of their application in one go.”

Snyk’s debut of Snyk Code is intended help offer a single-vendor alternative in what remains a fragmented security tool market, reflecting how organizations continue to take different approaches to their investments in security tools.

The recently released results of an Enterprise Strategy Group report presented during SnykCon, show how many organizations face challenges in integrating often many — or arguably — too many security tools. A paltry 30% of the organizations surveyed, for example, are able to protect more than 75% of their code during the following 12 months. Still, most DevOps teams in the organizations surveyed plan to increase their security spending during the next 12 months when queried. For cloud security, 44% of the organizations in the survey are “targeting” security for the cloud, while one third are seeking to consolidate their tool base.

In addition to the debut of Snyk Code, SnykCon also had a number of interesting talks. Here are a few highlights:

The Automation Key

DevOps teams continually seek to rely on automation to remove manual steps and tasks from CI/CD, beginning with the first uploads of application code to Git and extending to operations management during the application post-deployment stage. During his SnykCon talk, Amol Deshpande, product security engineer at Salesforce, gave, described the mechanics of his team’s automated security processes, which he described as “plug and play” security scanning.

He detailed the automated steps involved at Salesforce, from the issuance of an OSS request culminating in the report the engineer received from the associated job ticket.

“So, whenever an engineer comes in, they already have the reports attached back to the ticket, and they can just look at the report and see whether there are findings or not,” Deshpande said. “If there are no findings they can just approve the requests. If there are findings. they can work with the employee or the engineering teams to fix these findings, so this results in saving a lot of time for the engineers because they don’t have to spend time actually running the scans or making sure that they understand the tools.”

Deshpande estimated automation has helped Salesforce reduced its work hours for its engineer teams by almost 150 hours per year they would otherwise have spent on manually running security scans. The engineering team members are thus able to “concentrate on more important tasks,” Deshpande said.

The Culture Shift

Implementing any platform or tool requires the requisite DevSecOps culture. But when instilling this culture, there is no way to avoid having to have the right talent in place, Nicholas Vinson, DevSecOps Lead, for Pearson, said during his talk on DevSecOps culture.

“When applying the right processes and practices that deliver exponential improvement in your organization, you need people with the right knowledge and experience to define and implement in order to give effective guidance about how to create secure configuration and implement security controls,” Vinson said. “You need people who really understand those areas, and have experience building and managing similar services. That’s how you can avoid conflict with development teams where traditionally security requirements provided by security analysts operating in a silo may not be relevant or feasible to implement.”

It’s “virtually impossible,” for example, to find engineers that can cover all security needs by having the depth of knowledge for all technologies to cover, he said. “We get around this problem by creating a balanced team of different skill sets and promoting a culture of collaboration,” Vinson said. “This leads to a cross-pollination of knowledge, and up-skilling in weaker areas.”

Hacking 101

For those vulnerabilities unknown by only a few before they are exploited, ethical hacking has served as invaluable way to detect and mitigate threats for many organizations. However, amazingly, many in the tech sector still fail to realize that hackers and the act of seeking vulnerabilities in code and networks can be a noble pursuit as many confuse ethical with criminal hackers. Among the general public, hackers are usually wrongly associated with the hoodie-wearing stereotype and are presumed to be up to no good. In her talk, Chloé Messdaghi, vice president of strategy for Point3 Security, discussed how “the public to this day still sees us as a threat.”

Whether you type in “ethical hacker” or “criminal hacker,” “you get the exact same imagery: this hoodie, this darkness, usually a man,” Messdaghi said.  “It’s overwhelming for us, because if we’re constantly battling these images in the media and portraying us as this, they’re misleading the public, and because the public is not fully aware of what we look like, these images are very instilled in our society.”

These misconceptions also have very real and unfortunate repercussions for the community at large. In the U.S., for example, ethical hackers who might otherwise disclose security holes or who expose attacks that cannot only prevent monetary damage but indirectly, save lives by preventing healthcare and other public services from being attacked, often face legal consequences.  They also face very hefty prices to pay in civil courts, which, to say the least, dissuades many from helping to prevent societal harm.

Changes to public imagery, media contact, public recognitions of ethical hackers,  the creation of disclosure processes at organizations and legislative representation to modernize mandates and statutes to protect ethical hacking are necessary to bring this positive change about, Messdaghi said.

The adoption of these measures could thus help to attract more hackers to the field “because suddenly they realize that this is actually something that they can do where they don’t have to be worried all throughout the night of doing,” Messdaghi said.

“This can probably move some people from the criminal side into the good side which is what we want in the first place. We want to give people opportunities,” Messdaghi said. “But in order to do that, we have to influence the public sector and by doing that, we have to have organizations, media and legislation on board.”

Snyk is a sponsor of The New Stack.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.