Today, Snyk made available an edition of its application security posture management (ASPM) tool for assessing application risks that provides more context into how code has been written and its role within the application environment.
Manoj Nair, chief product officer for Snyk, said Snyk AppRisk Pro leverages artificial intelligence (AI) and machine learning to provide deeper insights into how applications have been constructed. Snyk AppRisk Pro, for example, can trace insecure portions of deployed applications all the way back to the specific code components.
Armed with those insights it then becomes simpler for DevSecOps teams to prioritize their remediation efforts, said Nair.
Snyk originally released Snyk AppRisk late last year and subsequently acquired Helios, a provider of tools for collecting security data from runtime environments via integrations with third-party tools and platforms from Dynatrace, SentinelOne and Sysdig, last January. That capability has now been integrated into Snyk AppRisk Pro.
In addition, Snyk AppRisk Pro also adds the ability to scan for secrets in code that cybercriminals might later discover.
Snyk has been working closely with Google to apply AI to DevSecOps. Most recently, Snyk announced its support for Gemini Code Assist, a tool for generating code using the Gemini large language model (LLM) created by Google. The integration with Snyk helps identify security vulnerabilities in code before applications are deployed. That’s critical because LLMs are trained using examples of code of varying quality from across the Web. As more code is created using generative AI tools, the probability of vulnerabilities in that code is high because the code used to train an LLM is often flawed. In effect, DevSecOps teams need tools that use AI models to identify vulnerabilities created by other AI models.
Hopefully, as generative AI continues to advance the overall quality of the generated code will continue to improve. The next generation of LLMs is being trained using code that has been vetted for quality. That’s crucial because most of the issues that cybersecurity teams usually need to resolve start with mistakes made by developers that cybersecurity teams then need to convince developers to allocate time to fix. Thanks to the rise of DevSecOps best practices, the overall security of software supply chains is improving. The simpler it becomes for developers to identify issues as they write code the more secure applications will become.
Of course, writing more secure code is only one element of the overall equation. DevSecOps teams will also need to continue to scan code after it’s been added to a build and as updates are made to applications already deployed in production environments. It’s now only a matter of time before more stringent regulations are implemented that will require organizations to attain and maintain higher levels of application security.
The challenge, as always, is modernizing legacy DevOps workflows that typically were designed to build and deploy code as fast as possible rather than ensuring application security requirements are being met.
