Snyk - Making Cloud Security Accessible to Developers

On the show floor at DevWeek 2022 I stopped by the Snyk booth to learn about what they do.  Jonathan Davis, an SE at Snyk explained to me how they're enabling developers to find security vulnerabilities in their code.  He also talked about where the idea for their solution came from and what's next for company.  (Jonathan even told me what "Snyk" stands for and what the deal is with their mascot).

Transcript -- Snyk - Jonathan Davis

Barton: All right, coming to you live from Dev Week Cloud here in Austin. I'm here with, Jonathan Davis. Jonathan, how are you?

Jonathan Davis Hey, I'm doing great. How are you? I'm doing well.

Barton So you work at Snyk and you're an SE. To start with, what is Snyk? What do y'all do?

Jonathan Davis:  Great question. So Snyk is a dev first security company.  And so what we do is we try to shift security left and make it easy for developers to find security vulnerabilities in their code.  We'll let developers find issues in first party code, static analysis, third party libraries that they're pulling in.  We can find issues in container images and then also in the cloud.

So infrastructure is cloud, and we shift those live cloud workloads that you're deploying to the left so developers can actually run these security scans directly in the IDE so you can fix these issues before you commit it. And then when you commit to your source control manager like GitHub and GitLab or Bit Bucket we can actually tie Snyk in there.

So every time you're doing a pull request to merge a feature branch in we can scan that feature branch to see if there are any issues before you merge it. Then we can also tie into the CI/CD as well. So if you're running a build in Jenkins or Azure DevOps, places like that, you can have a Snyk scan, be part of that build step, and you can fail a deployment if you find high severity issues. And so we really make it easy to fit security in every step we scale sync.

Barton: So then it's not just app developers, it's also ops and platform engineers, who use it. 

Jonathan Davis: absolutely.

Barton And so how has it been to get developers to be thinking security and to be comfortable with it and want to do this? Has that been tough?

Jonathan Davis: That's a great question. So that really was kind of the birth of our company because our founder Guy Podjarny noticed that a lot of the security companies that existed were really focusing on security teams, so providing great reports and metrics, but they weren't building tools developers wanted to use. And so we wanted to build something that looked like a developer tool.  The scans needed to run quickly cause you don't wanna hold up developer builds and you wanted something that was gonna integrate easily with their workflow.  And so that was really our focus from the very beginning.

Barton: Cool. And is this cloud based as well as on-prem or how's this used?

Jonathan Davis: It’s primarily gonna be a cloud deployment, so it's primarily cloud based for most of our customers. If there are special, like SEC concerns about security issues, then we can offer on-premise deployments for some products.

Barton: Cool. And the name, people are gonna ask, why Snyk?

[Jonathan Davis: a great question.  It's actually an acronym for, “So Now You Know”

Barton: I like it. And so now we know. And then the other one, we got this dog over here as your Mascot what's his name?

Jonathan Davis: the dog's name is Patch.  Patch basically is, is our mascot and he kind of symbolizes security and, you know, when you think of a Doberman you think of security and safety

Barton: it's a security patch.

Jonathan Davis Exactly.

Barton I like that. So just to end with, What do you see as the next step for what you all are gonna do in the security world? What's the next big issue you need to tackle?

Jonathan Davis: great question. So actually at the AWS summit, we announced that we're going to be going live with a new product that we have called Snyk Cloud. And so really the idea there is that we want to be able to cover more of that application.  So now with cloud native applications developers are responsible for not just the code but also what those deployments are gonna look like. And so we wanna be able to provide them more runtime information in the cloud so that after you've deployed your application to AWS or Google Cloud you can scan that deployment there and then find issues. Up to this point, we've really focused a lot on pre-deployment but now we're also moving into post-deployment cloud space.

Barton: Awesome. Jonathan Davis, thanks so much.