SnykLaunch April '23: C/C++ expansion, cloud and IaC updates, custom container security, new integrations, and more
April 4, 2023
0 mins readThis month, we hosted our most recent SnykLaunch to announce the latest and greatest in Snyk solutions. As with all of our releases, we continue to focus on adapting security to what we see in modern-day development practices. Compared to only a few years ago, more independent development teams are working faster, along with a far more complex software supply chain, including cloud as part of the code.
Because development practices look so different today, security teams often struggle to keep up. And slowing down development and DevOps to implement outdated security tactics is no longer an option. This is why organizations need developer security to build applications innovatively and securely.
Manoj Nair, Chief Product Officer, and Pat Poels, SVP of Engineering, covered our vision for developer security, including these five principles of developer security that we build the Snyk developer security platform upon:
Developer adoption, enabled by workflow integration, built-in education, and automation.
Focus on fixes with the ability to prioritize, validate, remediate, and automate the finding and fixing of vulnerabilities.
Security scale and depth with coverage, policies, and integrations into your existing security ecosystem.
Coverage for the entire app with a contextual, 360-degree view from code to cloud.
DevSecOps realization with a multi-cloud, unified platform as a single source of truth.
All of these principles were top-of-mind for all of our new features. So without further ado, let’s dive into what our speakers covered at SnykLaunch April 2023!
C/C++ for Snyk Code & Open Source
Roy Ram, Sr. Product Manager for Snyk Code, and Neha Shenoy, Sr. Product Manager for Snyk Open Source, led our first presentation. They covered Snyk’s newest language capability: C/C++ for Snyk Code (our first-party code scanner) and Snyk Open Source (our tool securing third-party components).
We’re excited to provide security coverage for an ecosystem with nearly 40 years of history. It takes a specialized approach to secure C/C++ in a manner that’s usable by developers. Its structure (or lack thereof) differs distinctly from other languages. There are many ways to write code that will achieve the same effect, making it difficult to use simple pattern-matching techniques for identifying security issues. And since C/C++ matured before centralized package management gained wide popularity, identifying the open source modules and licenses in use is a challenge too.
This complex ecosystem needs a new approach to a security solution that is built for developers. But since developers often use C/C++ with several other languages, the solution must go beyond securing this specific language. What is common amongst all languages: failing to use application security tooling tailored to developers leads to low developer productivity, low ROI, increased risk, and, ultimately, an overall lack of visibility into project status.
So, we’re excited to announce the Open Beta of C/C++ for Snyk Code and additional C/C++ package coverage and licensing support for Snyk Open Source. Users will see the same SAST and SCA tooling that Snyk provides to other ecosystems with scan times up to 100x faster than other tools, seamless integration into developers’ tools starting from the IDE, accuracy, and actionable results. And it’s all specifically tailored to work alongside the C/C++ ecosystem.
In the presentation, Neha demonstrated how developers can directly find and fix C/C++ vulnerabilities in the first-party code and third-party components from their native IDEs. She also covered how security teams can view all vulnerabilities from the Snyk UI.
Snyk Cloud: Fixing cloud issues in IaC
The following presentation, headed up by Agata Krajewska, Senior Software Engineer, and Anthony Larkin, Director of Product Marketing, introduced a new feature in our Snyk Cloud tool: the ability to find and fix cloud issues in IaC.
Often, we see siloed teams handling cloud architecture and security, making it challenging for them to collaborate. Security teams must manually determine which engineers are responsible for a cloud deployment when there is an issue. Then the engineering teams must manually trace each cloud security alert back to its actual source, wasting time and resources. When this process becomes too slow, many teams resort to“ClickOps”: fixing the cloud issues directly in production and causing more significant problems like configuration drift.
Instead, Snyk Cloud’s new feature empowers teams to fix cloud issues directly from the source. Rather than presenting audit results, we focus on delivering actionable fixes. With this new feature, security teams and cloud architects can immediately see where to fix cloud issues within the IaC source code. It empowers them to remediate cloud issues as soon as the code is written.
To see the new “fix issues in IaC” feature in action, check out Agata’s demo in our full SnykLaunch presentation.
Curated container security workflows for your software supply chain
The next part of SnykLaunch, led by Jamie Smith, Product Marketing Director, and Hadar Mutai, Senior Product Manager, covered Snyk Container’s updated workflow options.
Today’s applications are assembled more than built. Container users are intimately familiar with this concept, as they build new containers on top of pre-built base images rather than creating them from scratch. Docker is the most popular and well-known place to start looking for images to build upon. Many organizations prefer to further harden and customize images internally to suit their needs, then build their apps upon these internal “golden” images. There are several approaches to setting up this type of curated image workflow and as of April 2023, Snyk Container offers first-of-its-kind support for these more complex, layered container workflows.
We support this variety of workflows with extended custom base image recommendation logic. This feature makes it possible for a platform team to take an image from Docker (or Red Hat or anywhere else they choose), harden and customize it for their company’s needs, then mark any Snyk-monitored container image as a custom base image. By following this workflow, developers no longer have to see alerts for any vulnerabilities that might be in the “golden” image they’ve been provided. Instead, they only have to ensure that they’re following the guidance provided by Snyk to stay up-to-date and fix vulnerabilities that they might add to their application.
To support the scale and automation required in the container build chain, our new container features also include capabilities for more complex enterprise workflows, including:
API support to automate and customize the build workflows
Custom schema for versioning the internal base images
Automatic pull request generation, so apps built upon your internal images are automatically updated to use the most current preferred internal base images
The goal: to free developers from worrying about base image vulnerabilities that are out of their control. Jamie demonstrated this new support for base image recommendation workflows during SnykLaunch.
Visibility for the software supply chain across enterprise tools
The final presentation of this month’s SnykLaunch, led by Marco Morales, Sr. Partner Solutions Architect, and Akhila Managoli, Sr. Partner Solutions Architect at ServiceNow, focused on new Snyk integrations that facilitate enterprise visibility into the secure development process.
Snyk is the enterprise tool for developer security, integrating with the tools developers use daily. But, enterprise security and vulnerability management teams use another set of tools. And operations and platform teams use yet another. To build true DevSecOps collaboration and processes, all these tools must work together to empower visibility and support enterprise workflows. And still, this process cannot slow down development — it needs to keep pace with it.
We recently announced integrations with major enterprise solution providers, like ServiceNow, to foster this end-to-end visibility for service and vulnerability management. Our SnykLaunch presentation included a featured demo of the Snyk - ServiceNow integration demo led by ServiceNow’s Akhila.
We’ve also recently announced an integration with Dynatrace, bringing new application security visibility into the platform and operations preferred app monitoring solution. Snyk now integrates with AWS CloudTrail Lake for centralized auditing as well. We recently announced an upcoming Atlassian Jira integration to make application security a first-class experience in Jira and a more straightforward experience for developers. Finally, we also rolled out our Snyk Partner Solutions Directory for users to discover which solutions work alongside the Snyk platform.
Paving the way for a developer-centric security experience
The Snyk team is excited about these new features for our developer-first security platform: C/C++ support, Snyk Cloud’s “fix cloud issues in IaC” capability, support for curated container security workflows, and new enterprise workflow integrations. We can’t wait to hear about our users’ experiences with them!
If this recap intrigues you, you won’t want to miss the entire presentation! Check out our on-demand recording for full demos and details about each release.
Live Hack: Exploiting AI-Generated Code
Gain insights into best practices for utilizing generative AI coding tools securely in our upcoming live hacking session.