Snyk Adds Second ASPM Tool to Portfolio – DevOps.com

Today, Snyk made available an edition of its application security posture management (ASPM) tool for assessing application risks that provides more context into how code has been written and its role within the application environment.

Manoj Nair, chief product officer for Snyk, said Snyk AppRisk Pro leverages artificial intelligence (AI) and machine learning to provide deeper insights into how applications have been constructed. Snyk AppRisk Pro, for example, can trace insecure portions of deployed applications all the way back to the specific code components.

Armed with those insights it then becomes simpler for DevSecOps teams to prioritize their remediation efforts, said Nair.

Snyk originally released Snyk AppRisk late last year and subsequently acquired Helios, a provider of tools for collecting security data from runtime environments via integrations with third-party tools and platforms from Dynatrace, SentinelOne and Sysdig, last January. That capability has now been integrated into Snyk AppRisk Pro.

In addition, Snyk AppRisk Pro also adds the ability to scan for secrets in code that cybercriminals might later discover.

Snyk has been working closely with Google to apply AI to DevSecOps. Most recently, Snyk announced its support for Gemini Code Assist, a tool for generating code using the Gemini large language model (LLM) created by Google. The integration with Snyk helps identify security vulnerabilities in code before applications are deployed. That’s critical because LLMs are trained using examples of code of varying quality from across the Web. As more code is created using generative AI tools, the probability of vulnerabilities in that code is high because the code used to train an LLM is often flawed. In effect, DevSecOps teams need tools that use AI models to identify vulnerabilities created by other AI models.

Hopefully, as generative AI continues to advance the overall quality of the generated code will continue to improve. The next generation of LLMs is being trained using code that has been vetted for quality. That’s crucial because most of the issues that cybersecurity teams usually need to resolve start with mistakes made by developers that cybersecurity teams then need to convince developers to allocate time to fix. Thanks to the rise of DevSecOps best practices, the overall security of software supply chains is improving. The simpler it becomes for developers to identify issues as they write code the more secure applications will become.

Of course, writing more secure code is only one element of the overall equation. DevSecOps teams will also need to continue to scan code after it’s been added to a build and as updates are made to applications already deployed in production environments. It’s now only a matter of time before more stringent regulations are implemented that will require organizations to attain and maintain higher levels of application security.

The challenge, as always, is modernizing legacy DevOps workflows that typically were designed to build and deploy code as fast as possible rather than ensuring application security requirements are being met.

Filed Under: AI, Blogs, Business of DevOps, DevOps and Open Technologies, DevSecOps, Doin’ DevOps, Features, News, Social – Facebook, Social – X Tagged With: ai, ASPM, devsecops, ml, security vulnerabilities

Secure Coding Practices

Step 1 of 7

14%

Does your organization currently implement secure guardrails in the software development process?(Required)

Yes, extensively across all projects

Yes, but only in specific projects or teams

In the process of implementation

No, but planning to in the near future

No, and no plans to implement

What are the biggest challenges you face in implementing secure guardrails within your development processes? (Select all that apply)(Required)

Lack of awareness or understanding

Technical difficulties in integration

Resistance from development teams

Lack of suitable tools

Cost constraints

Other
Other, tell us more:

How effective do you find secure guardrails in preventing security vulnerabilities in your projects? Rate on a scale from 1 (Not effective) to 5 (Highly effective)(Required)

1

2

3

4

5

To what extent are your secure guardrails automated?(Required)

Fully automated

Mostly automated with some manual processes

Equally automated and manual

Mostly manual with some automation

Entirely manual

What features do you prioritize in a secure guardrail solution? (Rank in order of importance)Ease of integration into existing workflowsComprehensive coverage of security vulnerabilitiesCustomizability for specific project needsMinimal impact on development speedActionable insights and recommendationsSupport for a wide range of programming languages and frameworks

What are your organization’s plans regarding the adoption or enhancement of secure guardrails within the next 12 months?(Required)

Expand the use of secure guardrails to more projects

Enhance the capabilities of existing secure guardrails

Maintain current level of secure guardrail use without changes

Reduce reliance on secure guardrails

No plans related to secure guardrails

What best describes your primary role?(Required)

Security Engineer

DevOps Engineer

Platform Engineer

Security champion on the development team

Software Developer

CISO (or equivalent)

Sr. Management (CEO, CTO, CIO, CPO, VP)

Manager, Director

Other

Δ