The O-RAN Alliance announced the 5th release of its open source software

Security tool vendor Snyk recently added code scanning to its range of tools for DevSecOps practitioners.

Snyk (pronounced "sneak") was founded in 2015 by Guy Podjarny, and offered an open source dependency scanner so developers could easily see if there were any known vulnerabilities in the open source code they used in their software. Importantly, the scan is recursive, so it not only checks the libraries used by the developer, but the libraries used by those libraries, and so on.

Since then, Snyk Open Source has been joined by three other tools Snyk Container (to find and fix vulnerabilities in container images and Kubernetes applications), Snyk Infrastructure as Code (to find and fixe insecure configurations in Terraform and Kubernetes code), and recently Snyk Code (to find and fix vulnerabilities in the developer's own code).

All four run on a single platform, explained Snyk APJ head of solutions engineering Lawrence Crowther, so it is possible, for example, to apply global policies across the software development lifecycle.

{loadposition stephen08}

Furthermore, Snyk is developer focussed, he said, so the platform integrates with common developer tools IDE, source control, CI/CD, etc so "the tool does the heavy lifting for them" and the developer can then concentrate on fixing the problem rather than finding it.

"We started with the digital natives" because for them, DevSecOps is a natural extension of DevOps, but now the company is addressing the enterprise market including the financial services sector. Local Snyk customers include Afterpay and Australia Post.

"DevSecOps is a bit of a buzzword," Crowther admitted, but one of the company's goals is to bake security into DevOps so that in a few years the security part will be a first class citizen of every project.

But "you need to do DevOps right before you do DevSecOps," he warned.

The broad adoption of cloud has led to the adoption of different architectures (vs traditional monolithic applications), and this means the security of all the components must be properly addressed.

For example, it's easy to get started with Kubernetes, he said, but it has a range of security implications and so DevOps teams need to step back and think about issues such as ensuring only the correct ports are open, that files aren't inappropriately exposed, and that the exactly correct privileges are assigned.

There's a cultural issue here, Crowther suggests, because developers need to take ownership of security not only of the code they write, but right down to the infrastructure level.

One way this can be addressed is by moving security specialists into application security roles, but this means they will need to understand engineering practices, DevOps workflows, and so on. Consequently, there aren't many people who can be slotted immediately into such roles.

So organisations need to find ways to provide developers with security guidance (eg, "how to avoid SQL injection flaws) and should invest in reskilling, including giving developers sufficient time to learn and absorb this knowledge.

Australian organisations are behind the US, but ahead of most of the APAC region, said Crowther. However, they are generally not getting to grips with the proper checking of open source code.

A typical project now contains around 10% locally developed code, with the other 90% being open source, he said. But that 90% depends on other open source libraries, and if a project explicitly uses 10 libraries it could be implicitly using another 1000.

Without proper checking, you're "just trusting the internet," he said.

A further problem is that most tools for checking open source libraries only go one level down. In contrast, Snyk Open Source traverses the entire dependency tree according to Crowther.

Similarly, downloading a container image from Docker Hub is a risky business without due diligence. It might purport contain something simple such as a Linux distribution and Node, but have other libraries been planted in it, and are there any old libraries that should have been updated?

Lots of blind spots exist, he warned, so it is important to check all dependencies.

If you're not sure whether Snyk's products are right for you, or if you only work on a small project, the company offers a 'free forever' plan that has a monthly limit of 200 Open Source tests, 100 Container tests, 300 Infrastructure as Code tests, and 100 Code tests.

Otherwise, prices start at $115 a month for five developers using Snyk Open Source.

And if you have your eye on job opportunities, Crowther said Snyk will be hiring sales, solutions engineering and support staff in 2022, in part to staff a planned Canberra office that will augment the existing operations in Sydney and Melbourne.