The open source security platform Snyk has helped over 30,000 customers to find and fix open source vulnerabilities. Recently the firm decided to team up security solution company, Trend Micro to find a new way of working with a global customer base.
Speaking to DevOpsOnline about the partnership, along with the challenges and changes that they experience in their roles, Geva Solomonovich, COO at Snyk and Kevin Simzer, COO at Trend Micro, give an exciting insight about what the new product means.
What challenges do developers face with open source vulnerabilities at the moment?
Geva Solomonovich (GS) at Snyk COO: Delivering software quickly and securely; developers can’t stop deployment of their build and need protection until they’re able to prioritise and fix the vulnerabilities. Understanding which components are being bundled (direct and indirect) [and] keeping track of new version releases and knowing when it’s time to upgrade (and what version to upgrade to). Understanding the risks with each open source component, and what can be done to fix them. Knowing which vulnerabilities matter most – and therefore are most urgent to fix first
In terms of threat intelligence, where do developers tend to allow/miss vulnerabilities?
GS: In the absence of good tooling and not knowing what open source components are being used, developers are vulnerable to the risks associated with them. On their own, developers don’t have time or knowledge to find and fix vulnerabilities in their direct and indirect dependencies. Furthermore, understanding which vulnerabilities are most important to fix first and then triaging how to fix each vulnerability is very time consuming. Automated remediation is key to driving actionability and reducing risk, without slowing down development velocity.
At what point did you realise that something in the status quo needed to change?
GS: When we started Snyk five years ago, we recognised that open source, DevOps and CI/CD, which lead to applications built more rapidly than ever before, would require a new approach to security. The traditional touch points where security teams would “audit” applications and “approve” deployments for just two releases per year simply disappeared. Companies would need to address security without stopping or slowing development. We understood that the only way to do this at scale was to get developers to own the security of their applications as early and often as possible.
We anticipated that a ‘shift left’ approach to security would be needed to capitalise on open source, cloud computing, containers, CI/CD and other modern software development trends. By leveraging Trend Micro and Snyk, developers can shift their security left to test their images during development when it’s easier and much less costly.
What are you doing to tackle these issues?
GS: Build dev-first tools. Focus on actionability and automated remediation
Kevin Simzer (KS) , Trend Micro COO: Specific to this announcement – SnykIntel, Snyk’s proprietary database for open source vulnerabilities, will be integrated into Trend Micro’s Deep Security Smart Check product. To detect the broadest range of vulnerabilities across the development pipeline, Trend Micro’s vulnerability rules for application frameworks and libraries will combine with Snyk’s vulnerability rules for open source packages and dependencies.
Why did you decide to choose to work with Trend Micro?
GS: Trend Micro is a well-established and globally recognised security brand. Snyk and Trend Micro offer complementary approaches to prevention and remediation.
Through the partnership, Trend Micro shields the applications in runtime with its Deep Security (runtime protection) product, and Snyk focuses on fixing the vulnerabilities at the source with through developer-first workflows and integrations. For Snyk, this is an opportunity to raise awareness of our brand through Trend Micro’s global customer base, specifically its 16,000 cloud customers, and other channels.
What is going to be the biggest change that you will see through creating a partnership with Trend Micro?
GS: Recognition from a global security leader that Snyk is an important and differentiated security solution, especially in the open source and container market, is great validation for us.
As more organisations build, use and manage containers, the risk and complexity of security vulnerabilities grows. Developers can’t stop deployment of their build and need protection until they’re able to prioritise and fix the vulnerabilities. We’ll also be working closely on co-marketing, joint selling and have plans for future technical integration that will create new opportunities with larger, global enterprises and their security teams.
What do you feel is the best point of the new partnership?
KS: We’re both focused on the bigger problem of allowing customers to ship applications faster and more securely. This is a strategic partnership for both Trend Micro and Snyk, going well beyond a technical integration. The partnership will focus on solving the ongoing challenge that open source dependencies create for developers, stemming from code reuse, public repositories and open source. Together, Trend Micro and Snyk will help businesses manage the risk of open source vulnerabilities without interrupting the software delivery process.
In general, what do you think needs to be done to protect firms from ever growing threats as the world becomes more technologically advanced?
GS: The only way to get security at scale is for developers to own the security of their applications (100:1 dev to security professionals). This means leveraging dev-first security tools that focus not only on scanning for vulnerabilities but also fixing them.
This allows companies to embed security throughout the full development life cycle and specifically much earlier (shift left). To best protect firms from the ever-growing number of threats, ultimately application security must be as simple as possible and provide automated remediation.
What do you see for the future of open source and developing, etc.?
GS: Companies will increasingly rely on open source, and it will constitute an even larger percentage of the application code. As applications are increasingly built with open source, the attack surface vulnerable to a single exploit from hackers grows. This leads to continued focus from the hacker side, making this problem even more prevalent and critical.
This means that every company is only a single vulnerability away from being the next Equifax. To address this risk, enterprises need best-in-breed, developer-first security tools that engage developers to own the security of their apps, with the ability to not only find vulnerabilities but also fix them.