Snyk's work with Pearson is a contender for Best Implementation of DevSecOps at the DevOps Excellence Awards
Simon Maple is Field CTO at Snyk: a cloud application security firm that aims to make it easy for developers to think about security. The company's work with education publishing giant Pearson saw it make the shortlist for Best Implementation of DevSecOps at this year's DevOps Excellence Awards, and we chatted to Simon about the project.
Can you provide some background on Snyk - what are you all about?
Hi there, my name is Simon Maple, Field CTO at Snyk. Snyk is a UK-founded company. It is the market leader in cloud-native application security, and it is dev-first. Now what does that mean? We enable over two and a half million developers around the globe to build modern applications securely. Modern practices are required to build applications securely directly into existing development practices.
Now, in today's modern development, infrastructure layers - which previously were part of the IT team's responsibility - have now turned into more of a developer focus. Developers are touching more code like Kubernetes config, Docker files, etc. These are more API requests into cloud land than a request or a ticket into an IT environment. This is now part of the developer mandate, and Snyk's cloud-native app security platform allows developers that visibility into all of that code and config that they touch, but also the visibility to find and fix vulnerabilities - known or in their own code: and that is all the way from code they write through to opensource, to containers and to cloud infrastructure as well.
This is all integrated directly into existing developer workflows where developers live, and we have customers globally. The likes of ASOS, Deliveroo, the Ocado group, Revolut, Skyscanner, and of course, Pearson.
What makes Snyk different from other technology companies?
Snyk's key differentiator against other technology companies is that it's built for developers. At its core we were created to solve the developer security problem, and today we see Snyk being built for developers all around the world. Two and a half million developers use Snyk today.
To enable developers is a crucial issue, which every other security company struggles with. You need to be developer-first from the core. This is all about where you provide developers with the tooling the knowledge they need; how you provide them with that experience; and what information you give them at their fingertips. That's what makes a developer-first approach.
Our cloud-native appsec platform is unique in the industry as the only true developer-first solution for cloud-native applications, and that is integrated throughout the DevOps workflows and DevOps pipelines that exist in modern development software today.
At its core we have our industry-leading vulnerability database and rules database, and that is maintained by our expert Snyk security research team. It is a combination of information gathered from public sources, contributions from the developer community, proprietary research and machine learning, to allow us to continually keep up to date and adapt to the changing nature of different security threats.
This security database is used by many of our partners, including Atlassian, Datadog, Docker, IBM Cloud, Rapid 7, Red Hat, Trend Micro - the list continues.
Can you tell us about your entry?
So, our entry into the DevOps Excellence Awards is extremely important to us, and we worked with Pearson on this, and Pearson found out from an early stage that their existing methods with a small security team were just not compatible with their geographically dispersed organisation and teams. Lack of consistency, restrictions with time and it being very labour-intensive - it was very, very challenging to scale existing security practices across their organisation.
Pearson needed to leverage their small security team to continue using the right mix of that talent to operate, but [also] to embed this consistent security solution at scale across the Pearson organisation: to enable developers to handle this security work across hundreds of teams, but to do it in a self-serve way: to be able to enable the development teams to do that themselves.
So, Pearson chose to work with Snyk, and in this partnership it led to a complete DevSecOps transformation within their business. They design security in mind with it in mind at every stage of that development process. They tracked development teams within Pearson to understand how each development team worked and what their specific requirements were; this enabled developer adoption, which is key to any kind of DevSecOps digital transformation. You want to enable developer adoption by providing them solutions that are easy to use, simple to onboard, and make security adoption self-serving: remediation, prioritise actions and recommended fixes were all very high priorities, as well as solving security vulnerabilities at that first line when a developer writes their code.
Today Pearson is a leader in the adoption of DevSecOps: hundreds of applications with different tech stacks, now working in a DevSecOps manner, with integrations with numerous dependency management tools absolutely being critical to that adoption breadth across the platform - and Snyk seamlessly fitting into the DevSecOps, DevOps, CI-CD workflows and pipelines was crucial to that. The developer buy-in and adoption, providing that depth in every stack, was what made it so useful and what made it so trusting to developers to actually rely upon the advice, the remediations, and perform those fixes to be more secure.
What single company achievement in the last 12 months are you the most proud of?
Over the last 12 months, our biggest achievement would be the release of Snyk Code, which is a major extension to our product set and a great boost to developer productivity.
Snyk Code brings Static Application Security Testing, or SAST as it's sometimes known, and it does that directly into the developer toolset and workflow.
Now, of course, SAST hasn't always had the greatest reputation. It's traditionally been designed for post-development testing, traditionally by security teams. Tt can be slow, it can take several hours, it's often not particularly accurate, and as a result of wasting developer time with false positives, it can be very, very frustrating.
So Snyk Code reimagines this entirely. It's designed as a developer-first tool in the traditional Snyk way. It's embedded early in the SDLC. It's embedded into IDEs, into source code managers. It provides a platform for developers to build their applications quickly and securely. It does that by real-time testing and offering real-time advice to developers as they're working.
Our customers say it runs 10 to 50 - 10 to 50 - times faster than their previous SAST tools, and it's not a clunky extra step. It's built directly in.
It's super accurate, employing semantic analysis to provide those results. We process vast amounts of data and code to quickly identify patterns of change, which has been learned and grown from our own vulnerability database. So, we're using real 100 per cent vulnerability data to train this up, and that's how we can become very, very accurate.
The engine surfaces those vulnerabilities, those security issues, which is enriched with metadata such as explanations, flows and also examples of how to fix, by communities that have done these fixes and seen these issues before.
It's something we're really, really proud of, and I'm sure developers and application teams are going to love it as well.
What are you working on this year?
We have many different features planned for our cloud-native application security platform, like increased remediation and automation. We do very, very strong depth of our stacks in terms of the support we provide, so we're going to broaden that; we're providing greater language support, especially for mobile developers. Also future improvements in the extensibility of the platform, including making it easier to build into more workflows.
Security should always be free for all developers, so we're continuing to focus on enabling developers worldwide with free Snyk, and we recently added a Snyk Code to our free plan as well.
At the market level we're strengthening our go-to-market relationships with our strategic partners; that's Atlassian, AWS, Datadog, Docker, Rapid 7 and Trend Micro. So, lots to come.