Snyk today at its SnykCon 2020 conference announced a static application security testing (SAST) dubbed Snyk Code that incorporates an interpretable machine learning semantic code analysis engine the company gained through its acquisition of DeepCode earlier this year.
The company also announced it has extended its alliance with Docker Inc. to become the exclusive provider of security insights for both Docker Official Images and future content certification programs from Docker. Available via Docker Hub, Docker Official Images are a collection of 166 curated container images that developers frequently reuse.
At the same time, Snyk today announced it has integrated its vulnerability database with the IT monitoring service provided by Datadog as well as the IBM Cloud service.
Snyk President Guy Podjardny said Snyk Code is aimed specifically at developers as part of an effort to advance the adoption of best DevSecOps practices. It provides visibility into application source code, open source libraries, container infrastructure and infrastructure as code to enable developers to better secure applications as they are being built.
The company claims Snyk Code is up to 50 times faster than traditional SAST solutions, which would represent a major boost in productivity for developers who often don’t have the patience required to scan code as much as IT security teams would prefer.
Snyk Code also curates machine learning models using the company’s curated vulnerability database to significantly reduce false positives. It also automatically models application programming interfaces (APIs) based on the best practices observed by the platform.
Snyk Code is also designed to be integrated with CI/CD platforms to streamline DevSecOps workflows.
Podjardny said Snyk went beyond simply productizing the Deep Code tool to incorporate capabilities that would specifically appeal to developers rather than cybersecurity teams. Given the volume of code that needs to be scanned before and after code is deployed in a production environment, Podjardny said it’s apparent that DevSecOps isn’t going to be achieved without augmenting developers with artificial intelligence (AI) tools.
It’s not clear at what rate responsibility for IT security is shifting left toward developers. Beyond simply providing developers with the tools required to analyze code, workflows that DevOps and cybersecurity teams currently rely on must be better integrated. That’s a challenge, because the current rate at which DevOps teams are updating applications typically exceeds the ability of a limited team of cybersecurity professionals to keep pace. The days when cybersecurity teams could have weeks to review an application before being deployed are all but over.
It may take a while for DevOps teams to gain confidence in AI tools. However, it’s clearly not feasible for human developers to identify every potential vulnerability within thousands of lines of code running on multiple platforms that can have any number of vulnerabilities which developers are not likely to know much about. As such, it’s not so much a question of if AI will play a major role in enabling DevSecOps as much as when.