Software vulnerabilities are becoming more and more pervasive. Many potential threats especially lie in open-source packages and third-party dependencies, yet discovering them is challenging. This is part of the reason why one in four Log4j downloads is still vulnerable and why 95% of vulnerabilities stem from transitive dependencies. Hackers can leverage unaddressed threats in the software supply chain for privilege escalation, data exfiltration, and even remote code execution. Therefore, discovering and patching these vulnerabilities is necessary to avoid major disasters.
Plugging gaps in the software supply chain is becoming business-critical. As such, most organizations expect to increase their investment in cybersecurity automation in the next twelve months, according to a report by ThreatQuotient. Software supply chain automation (SSCA) tools automate the detection and remediation of threats, and many organizations are extending this further by placing vulnerability scanning within the CI/CD pipeline to ensure safety upon each new build.
To be truly comprehensive, vulnerability detection automation will hinge on a comprehensive dataset of CVEs, and the ability to work with various cloud-native environments and differing engineering workflows. One promising tool is Snyk, a security automation utility that helps automatically discover and remediate the vulnerabilities latent in your code. The company just received a Series G funding and is valued at a staggering $7.4 billion. Below, we’ll take a look at what Snyk does and consider why automating vulnerability detection and remediation for open-source software is a boon for overall cybersecurity initiatives.
CISO Point of View
“This latest round of funding is really exciting validation for the application security market. Security for so long has been dominated by network security, operations, scanning tools, and everything surrounding software. This funding round for Snyk is representative of this broader and much needed trend in cybersecurity that brings together security teams and developers and the software they’re building.“
What Does Snyk Do?
Snyk can be applied within Integrated Development Environments (IDEs) to continuously scan for new vulnerabilities. It automatically highlights vulnerable code and delivers actionable advice to remediate. For example, Snyk can test a dependency, discover a possible code injection vulnerability, and let the developer know which version fixed the CVE, along with links to helpful information. It can issue automatic fixes for vulnerable dependencies and container base images.
Snyk offers static application security testing, software composition analysis, and container testing. It can integrate with Jira to enable developers to open a pull request or even issue one-click upgrades. But what makes Snyk really stand out is the security intelligence research the company participates in. Snyk engineers maintain a comprehensive open-source vulnerability database that tracks vulnerabilities within packages across all the major open-source distributions. Examples of threats might be a malicious package in pip, a cross-site scripting (XSS) vulnerability in Maven, or a code injection threat in an npm package. At the time of writing, the Snyk Vulnerability Database tracks 2,311 vulnerabilities, and Snyk also offers a portal for the larger community to disclose issues.
CISO Point of View
“Automating vulnerability detection is a game changer. While we need developers to be security conscious, we also need to make sure they are not so bogged down with security that they can’t create awesome software with great features. That means taking as many things off their plates that do not correlate directly to feature development.
Having the detection of vulnerable libraries integrated with the developer’s Integrated Development Environments (IDE) removes the memorization and guesswork from their work thereby reducing risk by supporting the building of better software. It is a win across the board, your CISO gets more secure software and your developers get more time to do the work that they intended to do when they became developers in the first place.“
Benefits of Vulnerability Detection Automation
There are many benefits of automating vulnerability detection and remediation. Firstly, continuous detection is much faster and more effective than manual testing. A constant, automated approach to scanning for vulnerabilities helps you stay ahead of unknown threats to protect you from security breaches. Plus, having a toolset that offers practical advice for remediation naturally reduces the average time it takes to respond to indents. Quicker response times help protect personally identifiable information and retain business continuity and quality of service for end users.
Integrating software security automation into an engineer’s workflow saves them countless hours and dramatically improves the experience associated with ongoing vulnerability management. As Snyk user Ash Arnwine, Director of Developer Relations, Nylas, told us:
“As developers, most of us have plenty of utility scripts, server jobs, and side-project apps out there, and we don’t necessarily touch those code bases on a regular basis. So if a vulnerability is discovered in some npm module three months from now, how would I know about it? Getting a weekly report from Snyk in my inbox helps me stay on top of this by providing details on each issue and its level of severity. That reminder, along with the context Snyk provides, means I can stay on top of important updates.”
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Caveat: Vendor Solutions Only Go So Far
A tool like Snyk can act as guardrails for development, reducing risk and increasing an organization’s compliance with regulatory requirements. It could decrease costs associated with manual vulnerability management, as it reduces the effort and training required to mitigate risks. However, it should be noted that although vulnerability analysis tools offer a solution to a pressing problem, they don’t necessarily address the core issue of why open-source vulnerabilities exist in the first place.
CVE reporting requires a global group effort from the cybersecurity community — an effort that shouldn’t solely be placed on the shoulders of a single company. Vendor-neutral groups and consortiums are also working hard to reduce the emergence of new vulnerabilities. For example, Open Source Security Foundation (OpenSSF) is a Linux Foundation project fostering collaboration around protecting the software supply chain. One of its projects, Sigstore, provides a way to verify the provenance of open-source packages, plugging the gap between the open-source repositories and the package managers that host them. SLSA also provides a set of standards and controls to prevent tampering and improve the integrity of software packages.
Once software distributors utilize these standards more ubiquitously, the root problem may lessen. In the meantime, organizations should still be vigilant as they acquire new technologies, even when using automated vulnerability analysis. Staying alert will be essential to avoid typo-squatting and unreported malicious code commits – because you only know what you know. And, requesting SBOMs from software providers is still an excellent way to audit your surface area to keep updated with threats.
Lastly, introducing a vendor solution for vulnerability detection inherently adds another dependency into the already complex software development toolchain. And although Snyk offers many features for free, its per-user pricing strategy does become expensive very quickly, and it arbitrarily gates features only for high-end premium and enterprise subscriptions.
CISO Point of View
“Snyk has positioned itself to capitalize on the push to shift security left. They’re leading with their efforts to enable developer-centric security and empower developers to make secure decisions earlier in the software development lifecycle (SDLC). Snyk is also providing context as it relates to vulnerabilities in areas such as exploitability, patch availability, and more to enable risk-informed decisions for vulnerability management.“
Lessening the security impact of open-source adoption while retaining the agility these packages promise is the golden key to upkeeping a healthy development cadence. Organizations truly need an automated method to identify and remediate the ever-increasing threat landscape, especially with so many transitive dependencies latent within downstream projects.