Simon Maple, field CTO at Snyk, discusses the importance of embedding security into the development stage.
Could you tell us a little bit about the company and what you guys do?
Absolutely. Snyk’s a seven-year-old developer-focused company that happens to specialise in security. So seven years ago it realised there’s a big gap where developers were the ones who needed to focus on security. They’re the ones who actually fix issues. And so we decided the fix here is to create a developer tool that helps developers fix security issues, rather than quality issues or performance issues for example.
So that’s what we did. We came out with a tool focused on third party vulnerabilities at the time, that really built itself into the develop workflow, giving developers remediation advice, etc, on how to fix those. And, today, we’ve grown into a platform that covers everything from your first party code, third party code, containers, infrastructure, cloud environments and more.
What has the company been up to recently?
Well, there’s been a lot going on, particularly in growing the platform that I mentioned. There are a lot of new features being added. I’d say, over the last year or so, some of the big things that we’ve released, or that we’ve done, is Snyk Learn – a really interesting new module that appeared on the platform, which really gives developer education at the point in time, at the source, where you where the developer most needs it.
So they run a scan, they indentify a vulnerability, maybe it’s cross site scripting. What does that mean to a developer? So there’s a module there that they go into, and it tells them, as a developer, what they need to know, how to exploit those kinds of issues, how they can defensively code against it. So Snyk Learn is a really interesting way of helping enable and educate developers at the point which they need to know.
We’ve made a couple of acquisitions. Snyk Fugue was an acquisition, which is a Cloud Security Posture Management (CSPM) solution – a very developer-focused CSPM solution – which joins the Snyk platform, as Snyk Cloud. We also acquired a company called TopCoat, which is a company that very much focuses on things like reporting and analytics. So that’s going to be a really great addition to the Snyk platform as well.
Snyk released open source C++ support in its open source scanning. So identifying packages, C++ and C libraries and packages, as well as its existing set of support, and, of course, many, many new languages on Snyk Code, as well as our first party solution. So, across the board, we’ve been doing a lot of work – new products, new acquisitions and new new features as well.
In September 2021, the company raised £380 million, and the suggestion was that a lot of that money will be used to expand into Asia. How would such an expansion benefit Snyk and its customers?
A lot of the market exists, obviously, all around the world. And it’s important to have a local presence in all of those places. So we’ve done a lot of expansion in the APJ space. We now have offices in Tokyo and Sydney. We have people all over Singapore, as well, people all over that can support our customers and find new business, as well as expansion, in those spaces. So everything from creating, helping to create a new community there, as well as continuing to build the GTM market of Snyk into those spaces as well to best support our clients and customers as much as we can.
More generally, what kind of trends have you noticed developing in cybersecurity?
Interesting question. When we when we think about the big shift between more security responsibility in general security practices, moving more towards a developer responsible discipline, it’s very interesting to see the different types of programmes that are created to support that. And one of them is obviously security champions programmes. That’s something that we’ve seen grow and grow, and they’re actually very hard to create and run well.
There are lots without the right support and attention that it needs. And without the right core goals. I think some of them can either work very successfully or not really work if they’re not nurtured well enough. But security champions programmes is something which I think is a trend or something that we’ve seen developing. Obviously, that helps with the collaboration between Dev and Sec. It’s really important to formalise that and provide a platform with which that can be done. Other trends, supply chain security is obviously very hot, particularly when we see various aspects of supply chain risks, such as the Log4J or Log4Shell vulnerability and exploit that occurred late last year. These things have really allowed companies to focus on AppSec and focus on what they’re putting into their applications.
And, of course, there are a number of places in which this can be shown. Some people obviously, looking at your pipeline, some people looking at your open source libraries that you’re putting into your app, you open source packages that you’re putting into your container images. But these kinds of things, including having SBOMs – Software Bill of Materials – whereby you can identify if you’re using a certain package in your production environment, sharing those SBOMs across to different organisations that are using it, that are consuming your products or services.
These are some of the trends that I think we’re seeing more and more of, particularly around that supply chain space and the SBOMs space, encouraged by the US Government, executive orders.
What do you recommend the biggest challenges for DevOps teams are at the moment?
I think the biggest challenge is always collaboration. I think breaking down that silo between Dev and Sec is always going to be the biggest challenge. I had a customer yesterday and they asked me “where should we start with this kind of AppSec programme?” And the answer is always people first because you can get the best tooling in but if your culture and processes aren’t there, the tooling is never going to be used correctly.
So I would say allowing that open collaboration. Making sure the security team have that empathy for your Dev team. Treating Dev teams as individuals. Not every Dev team is the same. Not every Dev team wants the same thing from security support. Providing that education, all these things, I think, are absolutely core. I think those are some big challenges. And another one is visibility. I think a lot of organisations and companies have got to a state whereby they were doing rapid development, agile working in DevOps spaces and delivering into production very, very quickly.
But it’s got to that state where almost a lot of the time security don’t even know where maybe all the repositories exist, or Devs are spinning up CI environments or cloud environments. And does the organisation actually have visibility of everything that is publicly available? So there’s a lot of visibility concerns and challenges that organisations have. And that only adds more to the problems of SBOMs and understanding what software you’re putting into production.
And do you have any top tips for companies trying to improve their collaboration or visibility?
For visibility, it’s all about automation. I think it’s really important to be able to automate into the workflows in the existing environments and stacks that your developers use. If your developers are using, you know, Git repos, make sure you’re automating security into that. If your developers are building CI pipelines, make sure there are almost golden standards, where developers can pick and drop a new stack for a pipeline and include security automation into that.
So I think automation is really critical for your visibility. Tools, like Snyk, can fully automate an import of hundreds of thousands of projects very, very quickly, and get that visibility without affecting the workflow, which is cool because you don’t want to frustrate developers by introducing everything at once. It’s about getting that visibility, and then incrementally improving.
With collaboration, I think this is really a culture thing now. And I think it’s really important that if programmes like security champions are right for your organisation, it’s definitely something you can try security guilds where it’s more about people who are security curious, who can go chat. And it’s about encouraging that.
But the most important thing, I would say, is to have Security have that empathy for your development teams. Have your development teams have that empathy for security teams, and ultimately have a shared goal. When there’s a shared goal that both Security and Dev are working towards, you can achieve that together. When you’re both working with separate goals, it’s very much harder. You’re much more likely to conflict in this phase.
I heard that Snyk has a team of security researchers who monitor open source systems. Do you know if they have found any particular threats recently?
We have a team of security analysts that, whenever new vulnerabilities come into things like the CVE database, there’s obviously a huge amount of work that needs to be done in validating the accuracy of those kinds of things. Other things whereby doing research into specific areas, to identify where issues have existed and been fixed, but potentially not disclosed. That’s another area where those kinds of vulnerabilities come in.
Another is where we do research into finding vulnerabilities. For example, we disclosed a number of Zip Slip vulnerabilities a few years ago, which was a very interesting, well known vulnerability, that still found itself into a great number of tens of thousands of libraries. There was one that was found quite recently, which was actually some pipe API malware.
And that was an interesting one, because what it essentially did was it was a library that, under the covers, stole Discord and Roblox credentials, including some payment information. And this was actually only found very recently. So there’s an interesting one, where our security research team found 12 pieces of malware, which belonged to the same actor, which is obviously very, very common, where one malicious user goes in and does something under the same user. But our security team has a number of different roles, and our security research team is always looking for new attack vectors, new malicious entries into the open source world.
Finding issues is just one side of the coin. I think the other piece is the fixing of the issues. So Snyk, obviously, with our security research team, we find these kinds of issues, but even when things have been disclosed, it’s about using the tools. It’s about upgrading your dependencies, relying on maintainers to consume non-vulnerable versions of other libraries. And then application developers consuming the vulnerability-free versions or known vulnerability-free versions of those.
So there are still a lot more hops after finding an issue to actually have those issues removed from the public spaces. But the security team are always trying their hardest to find the next wonderful way in which an attacker has found a new way to breach, attack or exploit something else.
Security must be placed in the hands of software developers. To what extent do you agree with that?
I do. I think one of the most important switches that we’ve seen in recent times is people moving from a slower cadence of delivery to a much faster approach of pushing to production.
Now, one of the big problems with traditional security is that it tends to run first of all, in an audit style capacity, so maybe every six months, nine months, 12 months, or major release. And secondly, it gets run by the security team, whereby they produce a report that is given to the development team. And this is a very hard-to-consume report, which is really just a list of problems rather than a list of solutions. So that mechanism, while it could be considered not the best, most effective way even before today, it just plain doesn’t scale or sit with the speed of development which our businesses need.
So the big question is, how do we include security into development operations so that every bit of code that we write, we don’t need to block on any other team, and we can get identified, we can identify and fix those issues as soon as possible. And the only way to really do that without massively increasing the security team and actually providing them with the insights that the development teams need is to embed that into the Dev space. And what that means is providing a Dev tool, because the individual that is using these tools now is switching from Security to Dev. So we no longer need a security tool or an ITSec tool. We need an AppSec tool, a Dev tool, whereby a developer uses it. A developer understands the results. It’s not a report. It’s information that tells them how to fix.
That’s the only way you can scale because you tend to have 100 Devs and one security individual. So think of how many commits that one security individual would need to validate or need to test in order for that to truly scale. So yeah, the only way of scaling security is to embed it into the dev process, and have the developers own that responsibility to test and secure their code.
What kind of plans does the company have for the year ahead?
At Snyk we’re always moving. I mentioned acquisitions. This is a really important one. We announced Snyk Cloud. And every time we make an acquisition, it’s really important for us to really embed that acquisition, new products and new solution, into our platform. We’re not a company that has lots of different products that will work differently and hard to integrate. We have one pane of glass with all our products under it. And that’s one of our core motions going forward.
When we released Snyk Cloud, it’s about making Snyk Cloud a part of our platform accessible in the same way. So that’s a really cool thing. One other thing that I think, if you look at the Snyk platform overall, we’ve got a tonne of different modules. Now you have Snyk Code, Snyk Open Source, Snyk Container, Snyk Cloud and more. And one of the things that is really important now is to look at that as a platform and say, how can we use each of those products to really provide great context and information across the scans of those products?
I think there’s much, much more coming in this Snyk platform.