Why developer-centric security is needed from the start, from DevSecOps pioneer Snyk

View all on-demand sessions from the Intelligent Security Summit here.


Developers (and thus organizations) are increasingly relying on open source code for its ease of use and its collaborative, evolving, flexible, and cost-effective nature. According to an estimate 78% of code in codebases is open source.

At the same time, it is at risk from a slew of security vulnerabilities: at least 81% of codebases containing open source components contain at least one vulnerability.

This has led to DevSecOps, a method that introduces security earlier in the software development lifecycle.

“Software applications are built with developers acting as part of a modern assembly line where they create applications by reusing software code from many places,” said Peter McKay, CEO of the developer security platform. Snyk. “So that means that every piece of code they use could contain security vulnerabilities.”

Event

Intelligent Security Summit on demand

Learn the critical role of AI and ML in cybersecurity and industry-specific case studies. Check out on-demand sessions today.

Look here

To strengthen its platform and increase developer participation in the security process, Snyk this week announced a $196.5 million Series G funding round. This brings the company’s valuation close to $7.4 billion.

“In the creative process, developers don’t have to worry about security vulnerabilities,” says McKay. “They need flexibility, efficiency and peace of mind to do their best work.”

Security in the hands of developers – now

Developer-first security makes tools available to development teams by enabling scanning, testing, and remediation within development environments.

The concept is rapidly gaining ground and the market size of DevSecOps is expected to grow $23.4 billion by 2028, up from $2.5 billion in 2020. Top companies in the space include To recover (formerly WhiteSource), Vera code, Lace, Sysdig and Crowd sec.

As McKay noted, security concerns are compounded by the fact that “the role of the developer is becoming an even bigger piece of the success puzzle for an organization.”

Amidst the battle to hire strong cybersecurity talent, the number of developers will grow worldwide 45 million by the end of the decade (there are currently an estimated 24.5 million developers).

“We can’t just pull our way out of this crisis – we need to put security in the hands of developers now,” said McKay.

Security embedded in the development lifecycle

Snyk, which it claims pioneered security for developers, helps remove security vulnerabilities that would otherwise hinder development, McKay said. And this in a way that doesn’t slow down developers.

The Snyk SaaS platform enables developers to identify vulnerabilities and license violations in open-source codebases, containers, and Kubernetes applications. Users connect their code repository – GitHub, GitLab or others – to access a vulnerability database where Snyk can identify and describe a problem, point out bugs and suggest solutions.

While new security tools and controls can slow down the development process, making developers wary, Snyk helps speed up the process by embedding security into the development lifecycle, meaning and IT workflow. The company also says its platform includes “the very latest” in security intelligence.

Helping developers build stronger security programs ultimately allows them to focus more on their own innovation and priorities, McKay said.

Forever changed by Log4j

It’s no understatement: The software supply chain was forever changed by the Log4j vulnerability last December, McKay said.

“That turning point highlighted the vital need for developers to use security tools to identify vulnerabilities in their projects,” said McKay.

As more vulnerabilities were discovered and patched in the weeks that followed, Snyk quickly added a “Critical Severity” warning to its vulnerability database and customers began fixing them, he explained. Developers were given the option to take control of vulnerabilities as they discovered them, then add them to the Snyk database within hours of discovery.

He pointed out that cybersecurity is ultimately all about education and collaboration.

Organizations need to be aware of best practices to secure their software development lifecycle, he said. They need to create inventories, or software bills of materials (SBOMs), that detail exactly what’s in every application they build or sell.

They must also comply with industry and government guidelines (for example, the recent White House guidelines around SBOMs) who advise them to keep a close eye on what is being compiled within applications they build and/or use.

“In terms of collaboration, organizations need to ensure that their development, IT and security teams are all working together without getting in each other’s way,” said McKay.

Fixing supply chain failures in real time before hackers can exploit them could prevent a catastrophic event like Log4j, he said.

“Enterprises need to embrace a culture of developer security operations where developers, security professionals and operations teams develop strong collaboration and work together to discuss, detect and remediate vulnerabilities before the damage happens,” said McKay.

VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.