Software developers rarely have it easy. From writing, editing and pushing code to fixing the bugs and security issues that show up through production, the expectations most organizations have of their dev teams are immense.
The “shift-left” approach was conceived to root out security problems at the earliest stage of development, but in some ways, it’s added to the degree of complexities facing developers.
“The landscape is changing, both developer and security; it’s just not what it was before,” said Liran Tal (pictured), director of developer advocacy at Synk Ltd., a developer focused all-in-one platform for securing code, dependencies, containers and infrastructure as code. “And what we’re seeing is developers need to be empowered. They need some help, just working through all of those security issues, security incidents happening, using open-source, building cloud-native applications.”
The modern development arena is changing, and so a few mainstay practices don’t quite apply as seamlessly as they used to. Proactivity is an element that’s missing in the traditional shift-left process and is desperately needed in today’s landscape, according to Tal.
Tal spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, in advance of the upcoming AWS Startup Showcase: Open Cloud Innovations event. They discussed the modern app security threat landscape and how devs can conveniently stay in front of any threats. (* Disclosure below.)
Easing developer frustration
Snyk’s developer security platform funnels directly into development tools, workflows and automation pipelines, making it easy to spot vulnerabilities and security threats ahead of time, according to Tal, whose job is squarely focused on helping developers take full advantage of the platform’s wealth of security and DevOps features.
“What we needed to do is basically put those developer security tools, which is what Snyk is building, this whole security platform” into the developers’ hands at the scale and speed required, Tal added. “So, for example, instead of just finding security issues in open-source dependencies … you can actually open a pull request to your source codes version and management systems,” Tal explained.
Another part of Snyk’s rapid response approach to detecting code vulnerabilities is embedding extensions within integrated development environments. In doing so, security issues and probable points of failure are detected the moment work is saved. This represents a sharp contrast to other application security testing tools that run in the background and give summarized reports after a set time duration. Snyk’s approach is especially more valuable given the fact that developers today work with faster timelines than ever before and need to deploy quickly and constantly.
In the end, the platform makes it such that developers don’t have to be security experts. By showing them the detected vulnerabilities and providing the tools and knowledge to fix those issues, Snyk is actively making devs more efficient, Tal pointed out.
In other aspects of bridging the security knowledge gap for developers, there are also knowledge resources made available to safeguard setups like complex databases from known vulnerabilities.
“As a highlight, there’s a myriad of references that provide users with things like the pull requests, fix dates, or the issue with where the vulnerability was discussed. Having all this information at hand allows for better context as to what made the vulnerability happen,” Tal stated.
Bringing developers and security experts into a team
The software development and security functions of an organization aren’t rendered completely separate from each other anymore. Consequently, organizations must work toward “creating a more cohesive environment for both these kinds of expertise to synergize towards mitigating security issues,” according to Tal.
Snyk has partnered with Amazon Web Services Inc. for years now. Thus, there is a wide range of integrations within the platform, from the source code editor to code commits and container registries.
“So at the end of the day, Snyk is there to help users out and make sure that if we find any potential issues, anything from licenses to container vulnerabilities or just open-source code, it’s mitigated at the source,” Tal explained.
The recent Log4Shell vulnerability was found in the Java library called Log4J. Using its ecosystem of teams manually finding these recorded events and an autonomous intelligence platform, Snyk is made aware of such vulnerabilities through notifications on the Chatter API.
“And at that point, before it goes to CVE requirement and things like that … we find vulnerabilities really fast and can add them to the database. In summary, this was what we did with Log4Shell,” Tal stated.
As part of Snyk’s recent commitment to further reach and improve the experiences of 28 million devs worldwide, the company has leaned heavily into the power of community and shared experiences. One example is its developer website, which is a community of security and coding professionals trying to learn from each other. Another is the company’s new slew of developer events, one of which is titled “The Big Fix” and slated to launch February 25.
Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: Open Cloud Innovations event. (* Disclosure: Snyk Ltd. sponsored this segment of theCUBE. Neither Snyk nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Photo: SiliconANGLE
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
Source link