Trend Micro today announced an alliance with Snyk through which alerts about vulnerabilities in open source code will be passed on to the tools Trend Micro makes available to apply virtual patches to both monolithic and microservices-based applications.
Snyk provides a tool that identifies and fixes vulnerabilities and license violations in open source dependencies and container images. Trend Micro COO Kevin Simzer said his company leverages the alerts generated by Snyk to inform developers and cybersecurity professionals where virtual patches need to be applied.
Virtual patches are a capability Trend Micro developed to enable IT organizations to address a vulnerability by applying a security policy that limits access to a specific piece of code until a developer can update a monolithic application or replace the containers housing vulnerable code within a set of microservices.
By working more closely with Snyk, Trend Micro is trying to increase the appeal of its approach to virtual patching among DevSecOps teams, said Simzer. It’s not possible for most developers to address every vulnerability that manifests itself in a timely manner. Virtual patching allows DevSecOps teams to establish which vulnerabilities need to be addressed immediately while making use of virtual patches to protect applications from less severe vulnerabilities until they can be addressed during a DevOps cycle. To advance those capabilities, Simzer noted Trend Micro has already integrated its security offerings with continuous integration/continuous deployment (CI/CD) platforms such as Jenkins.
Simzer said it will take a while for most cybersecurity professionals to trust developers to address cybersecurity issues during the application development process. However, virtual patches provide a mechanism through which both cultures can collaborate more closely without compromising the rate applications are being built and deployed. The primary reason developers tend not to pay as much attention to cybersecurity issues as everyone would like is because of the deadline pressure most of them are operating under. However, as responsibility for application cybersecurity continues to shift left, more developers are trying to address these issues earlier in the application development process.
More than 16,000 enterprise IT organizations are already using Trend Micro security offerings to secure both monolithic applications and cloud-native applications based on containers, said Simzer, adding that footprint puts Trend Micro in a position to help organizations embrace best DevSecOps practices.
Of course, Trend Micro is not the only cybersecurity vendor with similar ambitions. The challenge many organizations will face is defining what processes are best handled by developers invoking application programming interfaces (APIs) versus cybersecurity professionals who are more comfortable employing graphical user interfaces (GUI). There may come a day when more cybersecurity professionals are able to write code, but for now the two camps could not be further apart in terms of the tools they prefer to use. For IT security vendors such as Trend Micro, that means for the foreseeable future, they will continue to need to build GUIs alongside APIs.