DevOps / Monitoring / Security

Snyk Seeks to Sharpen Distinction Between Low-Priority and Urgent Security Alerts 

22 Jul 2020 11:30am, by

DevOps teams often continue to struggle with the balancing act between security tools that are either too tight or too lax. Opting for overly sensitive security monitoring tools typically results in a deluge of alerts and false positives. On the other hand, a security tool that is supposedly designed to highlight only those alerts that deserve immediate attention all too often bury vulnerabilities and even word of potential breaches.

Once alerts are detected, and even hierarchical, remediation remains a slow manual process.

Even the most apt security tool will often send a list of security fixes that need to be made. The dilemma is when and how to prioritize which security job ticket to tick off first. To this end, security tool provider Snyk has sought to improve its security platform to better enable security teams, DevOps teams, and especially, developers to fix the code on a more fine-tuned and hierarchical add-needed basis.

Snyk this week has added to its platform what it calls “instant prioritization” and “deep application context” capabilities. With the help of machine learning capabilities and by continually updating its vulnerability database — Snyk says the size of its vulnerability database has increased 394%  during the last four years — alert triage is better targeted, the firms says.

One example is that what might have been considered a low priority vulnerability in the past suddenly rises to the top of the list of fixes that must be made to application code. This scenario might occur when the vulnerability is suddenly massively exploited while the organization is part of the targeted industry. Other vulnerabilities are prioritized according to how they might affect a specific organization’s application development or infrastructure.

The third main improvement is the ability to pre-configure alerts and remediations according to specific governance policies. These are embedded in the Snyk platform by the organization’s DevOps team. A bank, for example, may need to pay more attention to plugging certain vulnerability holes, such for data storage governance than other organizations that has less liability for customer-stored data.

As has previously been the case, Snyk’s alerts and fixes are targeted at the developer. Instead of the security team parsing through the alerts, assigning job tickets, patching code themselves or communicating the fixes to the developer, the alerts and fixes are communicated directly to the developer. Pull requests are automatically opened on GitLab or GitHub in the repository, while the remediation process is then completed after testing and implementation to the deployed application code.

The process is intended to give more autonomy and visibility to the developer, Aner Mazur, chief product officer, Snyk told The New Stack. “Instead of just fixing the random 10 vulnerabilities out there — some of which could be irrelevant — developers are actually fixing something that matters and it makes them fix more. So it’s not only ‘hey, there’s an allowance of 10 vulnerabilities to fix, which should we fix?’” Mazur said. “But over time, it creates a culture where there’s very positive feedback that whoever is fixing can say ‘hey I feel that I’m fixing issues that matter, and since it’s actually not that hard. I’ll fix more so this really helps push in the culture of fixing, and eventually drives more fixes.’”

This week’s release offers just that much more autonomy for the developer to protect code before applications occur, through better prioritization of fixes that must be made, Mazur said.

“What we’re launching is a group of offerings and features that all provide and support powerful prioritization for the organization,” Mazur said.

Pricing is variable according to the number of users and is billed on a per-seat basis.

Snyk and GitLab are sponsors of The New Stack.

Feature image via Pixabay.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.

A newsletter digest of the week’s most important stories & analyses.