SECURE Your Code From the Start with Snyk.io and Snyk Code

Davide 'CoderDave' Benvegnù - May 18 '21 - - Dev Community

Ensuring application security is extremely important. But usually it's also pretty tedious and definitely not fun.

The tools we use are usually slow and not very accurate, and this leads to not using them properly.

Notice that I've said "usually", because I think I've found the solution for it. Or, better, Snyk has found it.

Let's dive into it.

🌏Check out Snyk at http://snyk.co/coderdave

Video

As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo.

I would highly recommend you to watch the video because is much more complete than this post, and in there you can see all the products in action.

Link to the video: https://youtu.be/hXiJJUTiLEw

If you rather prefer reading, well... let's just continue :)

Current Challenges for DevSecOps

To better understand where to position Snyk, we need to take a look at the current issues we face.

There are many tools out there that take care of the different phases of application security, but as I've mentioned in the intro they are usually pretty slow and not very accurate.

And this is a problem. In the DevSecOps realm, in fact, you want to shift left on security, meaning that you want your code to be scanned and made secure as soon as possible in the development cycle. If the tool you're using is too slow, then it will waste you precious time during development or in the CI for Pull Requests.

Similarly, if the results of the tool are not accurate, for example it returns too many false positive or even worse, if the tool regularly misses potential vulnerabilities, your confidence in the tool itself will decrease.

Because of those aspects, you may end up not using the tools at all, exposing your code and application to greater risks.

Snyk is Different

So, what makes Snyk different? First of all, their philosophy.

Snyk

They have a unique combination of developer-first tooling and best in class security depth which enable developers and companies to easily build security into their continuous development process.

And I want to empathize the "developer-first" bit. Snyk tools are built for developers from developers. This means they try and solve all the common adoption blockers we have seen before.

Second thing that makes Snyk different is that they provide a comprehensive end to end platform, which they call Cloud Native Application Security platform, which includes basically almost all you need for making your code secure.

This platform includes in fact:

  • Open Source Security, that automatically finds, prioritizes and fixed vulnerabilities in open source dependencies
  • Code Security, which we'll explore more in depth later
  • Container Security, to find and automatically fix vulnerabilities in your containers
  • Infrastructure as Code Security, that focused on issues and vulnerabilities on Terraform and Kubernetes definitions

Snyk Open Source and Infrastructure as Code

As I've mentioned, we will go in depth into their new Snyk Code a little later in the video, but I want to quickly see what these other tools can do and how they work.

Check out the video for the demo:

Demo for this starts at minute 2:52

Snyk Code

Alright, next I wanna talk about the star of the show: Snyk Code.

Snyk Code is a Static Application Security Testing tool (SAST), but unlike other SASTs in the market which are designed primarily to test applications post-development, Snyk Code is been developed with a Developers-first approach, and this means that not only if provides a very user-friendly experience and integration with Dev tools, it is also pretty fast with near real-time scan results, and has a high accuracy.

It can be all of this because it even integrates into your IDEs like Visual Studio, VSCode, Eclipse and many others (more on this later) and it's powered by machine learning and AI. The Snyk Code AI engine learns from millions of open-source commits, and is paired with known issues from Snyk’s Security Intelligence database, creating a continually growing code security knowledge-base.

But enough talking, let's see this in action. We'll see it first on a more "traditional" approach, and the we will push it to its limits.

Check out the video for the demo:

Demo for this starts at minute 8:45

In the demo I cover:

Conclusions

Alright, I think that's more than enough for today.

As we have seen, Snyk has a very comprehensive portfolio of tools we can use to secure our code and applications. And Snyk Code is a very powerful addition to the suite.

I really love we can use it in a more traditional way by adding our repos to it as projects, but also that we can take it a step forward and use it as part of our continuous integration process.

And I think you probably agree with me that its best feature is to be able to scan the code real time so we can shift left on security very easily and integrate it as part of our development workflow, even before committing to our repo.

Let me know in the comment section below what your thoughts are.

🌏Check out Snyk at http://snyk.co/coderdave

Like, share and follow me 🚀 for more content:

📽 YouTube
Buy me a coffee
💖 Patreon
👕 Merch
👦🏻 Facebook page
🐱‍💻 GitHub
👲🏻 Twitter
👴🏻 LinkedIn
🔉 Podcast

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .