“Developers need to be concerned about security. Integrate it into your main KPIs. It starts with people ‘• The Register

Maintenance In an interview with Snyk founder and president Guy Podjarny on the challenges of developing secure applications, he told us, “Any solution that requires developers to become security experts is doomed to failure.

Snyk started in July 2015. Why the name? “The original idea I had was to slip information into a repository that would then give you information about it and I said I would spell it like cool kids do… and I found out when I Googled it that it’s short for So Now You Know, ”he told us.

Podjarny’s stance on developers and secure code is hardly surprising: his company provides security tools for programmers. “The heart of Snyk is the notion of dev-first security. It’s our thesis, it’s our raison d’être,” Podjarny said. Snyk maintains a vulnerability database which records security issues found in open source software libraries.

“The first issue we addressed was open source security, and in open source security there is a gap around existing vulnerabilities. The CVE system is designed for appliances and large enterprises to notify users of vulnerabilities, but the community of open source maintainers is not equipped to deal with this, “Podjarny said. When vulnerabilities are discovered in an open source project, they are fixed, noted in the release notes, and then they” disappear into the open source project. the ether of GitHub, ”he told us.

“We listen to the beam of information through social, research and open source activities, and we send it to our analysts who then address the vulnerabilities and add the necessary information to it … the work we do is both discovery of what’s out there and the security expertise to help developers, who aren’t usually security experts. “

An entry in the Snyk vulnerabilities database

“This kind of service is necessary,” Podjarny continued. “The open source community is not the best for the custody and ongoing maintenance of data assets. Even in operating systems, you see Canonical and Red Hat running fixes and fixes for operating systems. We do the same for application dependencies.

Snyk takes a curation approach rather than a crowdsourcing approach, Podjarny said. “We believe consumers want our expert opinion on what is a vulnerability and what is not, together with the maintainer.”

There are about 40 people working on the database, Podjarny said, but it’s a combination of manual processing and automation. “Some are making rules about what to inspect, others are building the technology to make these analysts more efficient,” he said. “We use our own vulnerability detection software in Snyk Code to help us educate ourselves.”

Snyk code

Snyk Code is the company’s newest major service and grew out of the acquisition of DeepCode in October of last year. DeepCode specializes in “semantic code analysis powered by AI”.

The service has a number of features including scanning code for vulnerabilities whenever a file is saved, or monitoring a Git repository, or as part of a CI / CD process.

One of the problems for developers is figuring out which vulnerabilities are important in their specific application, when the amount of data available on possible vulnerabilities can be overwhelming. Snyk Code is therefore designed to help solve this problem.

“Safety is about managing risk,” Podjarny said. “You have to start by being aware that a risk exists. It’s easy not to talk about vulnerabilities, but it’s not the best way to keep yourself secure. Once given, the solution comes from a combination of security intelligence, application intelligence, and developer experience. “

Contextualization is the key, he told us. “Are we looking to see if your code calls for this vulnerability?” We are now developing capabilities that assess whether you are configured in such a way that your code is vulnerable. We are working to provide infrastructure analysis, from our containers and our infrastructure as code. analysis, to refine it further. We’re already looking at Kubernetes configurations to tell you if a vulnerability is in a publicly available system, ”he said.

Emphasis is also placed on simplifying the fix, sometimes even generating pull requests containing the fixes.

“Most developers agree that security is part of quality code. The challenge is that security is naturally invisible, it doesn’t have a feedback loop. It doesn’t hurt until it does. Very badly. Part of the value of the security solution is to increase that visibility, without becoming another routine that you learn to become unresponsive to, ”Podjarny said.

You can be safe until bankruptcy

So should developers configure their CI / CD with Snyk Code, or something like that, so that code with detected vulnerabilities cannot be deployed? “Different systems require different levels of security. For some systems like an operating system that most of the world runs on, the bar is very high. For most applications, it is not the bar,” a- he declared.

“Technically, it is quite possible to reject any identified defect, whether of high or low severity. In practice, this is not the right decision for most companies. You can be safe until bankruptcy. You also need to be competitive. The trick is not to ignore them risks, but instead make a smart decision about when a risk deserves your attention and when you can just move on.

“Snyk’s job is to facilitate safe development while remaining fast.” It should work as a spell checker in the IDE rather than getting in the way, he explained.

How is Snyk Code different from other approaches? “Historically, static analysis tools have tried to figure out every path a program might take,” Podjarny said.

“Snyk Code takes a more data-driven approach and applies machine learning. It therefore analyzes each file, stores its knowledge and becomes smarter by processing this data. This makes it considerably faster than the previous generation, which makes it really usable, “he added.

“While previous generations focused on rules and understanding, Snyk Code benefits from all the code he can see, including all the history of all GitHub code, to understand how code flows and how it works. is fixed. This machine learning adapts to statics. analysis to the pace of modern software development. “

“To this day, SAST (Static Analysis Security Testing) is really the kid that shows how terrible security tools can be for developers, how poor their signal to noise ratio is. Snyk Code changes that,” did he declare. He also pointed out that the tool works on source code rather than having to be part of the build process, because “that’s how developers work.”

What can programmers do to consolidate their code?

Other than tools, what can developers do to make their jobs safer? “You have to care about it,” Podjarny said, “and make it part of your regular conversations. Whatever security measures you choose, discuss them in your daily standups, make them part of your main KPIs. starts with people and with the attention given.

“From a practical standpoint, you need to start embracing the minimum set of data and permissions you need, versus the maximum.”

In a microservices architecture, “the only way to get a secure system is to minimize what each of these parts can do. The natural tendency of developers is to get the most out of it. an asterisk and it ends. “

The high speed of the code is also a factor, Podjarny said. “There’s already a lot of data… it shows that speed, if applied correctly, actually improves safety. The only downside is you have to have speed and visibility… Personally, I advocate continuous pipelines that sensitize properly but are relatively light in breaking construction. “

Is Google correct in saying that there is a worldwide problem caused by the lack of security specialists, for Linux but also elsewhere?

There is an absolute shortage of security talent in the world and around 50 percent of security jobs remain vacant

“There is an absolute shortage of security talent in the world and around 50 percent of security jobs remain vacant,” Podjarny said. “Security is a deep expertise and not easy to acquire. And any solution that requires developers to become security experts is doomed to failure.

“Developers have to do everything, they’re just humans. I think the problem is real, and the solution is to have security plans that include more leverage, like tools, like more secure platforms. that remove some security concerns. For example the mobile security world has built platforms and operating systems that are inherently more secure than desktop operating systems. The cloud offers an opportunity to rethink the security of the same way.”

A Snyk Code Suggestion in Visual Studio Code

We took a look at Snyk Code, via a Visual Studio Code extension. Note that it uploads code to Snyk, which is a problem; this document [PDF] doing its best to reassure the developers. We have found, however, that the performance is good and the number of issues discovered is not overwhelming and well explained.

“This vulnerability has been patched by 1398 projects. Here are three sample fixes,” read a “suggestion from Snyk.” The first impression is that it is indeed developer friendly. Is this a cure for vulnerable code? It’s unlikely, but it can improve it nonetheless. ®