Open Source Market Segment LS
Open Source Market Segment RS
Monday, 25 October 2021 14:23

Snyk expands DevSecOps tool range

Snyk APJ head of solutions engineering Lawrence Crowther, Snyk APJ head of solutions engineering Lawrence Crowther,

Security tool vendor Snyk recently added code scanning to its range of tools for DevSecOps practitioners.

Snyk (pronounced "sneak") was founded in 2015 by Guy Podjarny, and offered an open source dependency scanner so developers could easily see if there were any known vulnerabilities in the open source code they used in their software. Importantly, the scan is recursive, so it not only checks the libraries used by the developer, but the libraries used by those libraries, and so on.

Since then, Snyk Open Source has been joined by three other tools – Snyk Container (to find and fix vulnerabilities in container images and Kubernetes applications), Snyk Infrastructure as Code (to find and fixe insecure configurations in Terraform and Kubernetes code), and recently Snyk Code (to find and fix vulnerabilities in the developer's own code).

All four run on a single platform, explained Snyk APJ head of solutions engineering Lawrence Crowther, so it is possible, for example, to apply global policies across the software development lifecycle.

Furthermore, Snyk is developer focussed, he said, so the platform integrates with common developer tools – IDE, source control, CI/CD, etc – so "the tool does the heavy lifting for them" and the developer can then concentrate on fixing the problem rather than finding it.

"We started with the digital natives" because for them, DevSecOps is a natural extension of DevOps, but now the company is addressing the enterprise market including the financial services sector. Local Snyk customers include Afterpay and Australia Post.

"DevSecOps is a bit of a buzzword," Crowther admitted, but one of the company's goals is to bake security into DevOps so that in a few years the security part will be a first class citizen of every project.

But "you need to do DevOps right before you do DevSecOps," he warned.

The broad adoption of cloud has led to the adoption of different architectures (vs traditional monolithic applications), and this means the security of all the components must be properly addressed.

For example, it's easy to get started with Kubernetes, he said, but it has a range of security implications and so DevOps teams need to step back and think about issues such as ensuring only the correct ports are open, that files aren't inappropriately exposed, and that the exactly correct privileges are assigned.

There's a cultural issue here, Crowther suggests, because developers need to take ownership of security – not only of the code they write, but right down to the infrastructure level.

One way this can be addressed is by moving security specialists into application security roles, but this means they will need to understand engineering practices, DevOps workflows, and so on. Consequently, there aren't many people who can be slotted immediately into such roles.

So organisations need to find ways to provide developers with security guidance (eg, "how to avoid SQL injection flaws) and should invest in reskilling, including giving developers sufficient time to learn and absorb this knowledge.

Australian organisations are behind the US, but ahead of most of the APAC region, said Crowther. However, they are generally not getting to grips with the proper checking of open source code.

A typical project now contains around 10% locally developed code, with the other 90% being open source, he said. But that 90% depends on other open source libraries, and if a project explicitly uses 10 libraries it could be implicitly using another 1000.

Without proper checking, you're "just trusting the internet," he said.

A further problem is that most tools for checking open source libraries only go one level down. In contrast, Snyk Open Source traverses the entire dependency tree according to Crowther.

Similarly, downloading a container image from Docker Hub is a risky business without due diligence. It might purport contain something simple such as a Linux distribution and Node, but have other libraries been planted in it, and are there any old libraries that should have been updated?

Lots of blind spots exist, he warned, so it is important to check all dependencies.

If you're not sure whether Snyk's products are right for you, or if you only work on a small project, the company offers a 'free forever' plan that has a monthly limit of 200 Open Source tests, 100 Container tests, 300 Infrastructure as Code tests, and 100 Code tests.

Otherwise, prices start at $115 a month for five developers using Snyk Open Source.

And if you have your eye on job opportunities, Crowther said Snyk will be hiring sales, solutions engineering and support staff in 2022, in part to staff a planned Canberra office that will augment the existing operations in Sydney and Melbourne.

Read 1940 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News