Snyk today announced it has agreed to acquire DeepCode as part of an effort to apply artificial intelligence (AI) to DevSecOps.
DeepCode has developed an interpretable machine learning semantic code analysis tool that scans code anywhere from 10 to 50 times faster than existing approaches. DeepCode currently supports Java, JavaScript, Python, TypeScript and C/C++ programming languages. Developers get started by connecting the DeepCode bot to their GitHub, BitBucket or GitLab accounts or directly within their integrated development environment (IDE). DeepCode then immediately starts reviewing each commit with no additional coding required. The bot is currently free for teams of up to 30 developers.
Snyk CEO Peter McKay said those machine learning algorithms dramatically reduce both false negatives and false positives as they learn the application environment. That code scanning occurs in real-time, thanks to a Datalog solver developed by DeepCode, which McKay said means code scanning can now keep pace with the rate at which applications are being developed.
While there’s widespread agreement that more responsibility for application security needs to shift left toward developers as part of any effort to embrace best DevSecOps processes, getting the right security tools into the hands of developers has been a challenge. Developers tend to resent having to wait for security scans to be completed, especially at a time when the rate at which applications are being developed and deployed has been accelerated as organizations embrace digital business transformation more aggressively.
In effect, code scanning as implemented today is often viewed as a bottleneck. That issue goes away, however, if scanning can occurs in real-time. Armed with that data, it then becomes possible to also prioritize which vulnerabilities to address in code first in addition to in, some cases, automating bug fixes.
In an ideal world, security will become a natural extension of any quality assurance process implemented by a DevOps team. The challenge right now is bridging a cultural divide between DevOps and cybersecurity teams that have workflows that operate at dramatically different cadences. The more automated the code scanning process becomes at the front end, the fewer security issues will need to be addressed by theses teams as applications are either being deployed or, worse yet, after they are already running in a production environment.
Fresh off raising an additional $200 million in funding that was used in part to acquire DeepCode, Snyk claims there are already 1.5 million developers using its tools worldwide and that its revenue grew 275% in the last year. Privately held, Snyk claims to have a valuation of $2.6 billion. The next challenge is to expand adoption of Snyk tools across the roughly 24 million developers that are writing code today, said McKay. As part of that effort, Snyk recently formed technology alliances with both Red Hat and Docker Inc.
Naturally, it may take some time for that goal to be realized. However, with more developers now being held accountable for security, the chances are good that many of them will soon be looking to ruthless automate security in much the same way they are moving to automate every other aspect of IT.