Will the Pandemic Propel DevSecOps? Snyk Says Yes
Now is a great time to start a bug bounty program, says Guy Podjarny, founder and president of Snyk, a security startup that helps developers find vulnerabilities in open source code and Kubernetes-based applications.
A lot of developers are working from home these days because of the COVID-19 pandemic. So why not pay them to find flaws in your software that you can fix before the hackers exploit these vulnerabilities to steal company data — or worse.
“There’s actually a lot of people signing up to bug bounty communities,” Podjarny said. “They are at home, and they are looking for ways to use the time well. So if you’re ever looking for a time to introduce a bug bounty program, this is a good time.”
As additional proof: Bugcrowd today said it is providing free, fully managed bug bounty programs (plus attack surface analysis) to emergency response teams, hospitals and other care provider organizations that are responding to the coronavirus pandemic.
Snyk is a 5-year-old company based in London. It announced a $150 million Series C funding round at a $1 billion valuation in January after reporting more than 400% revenue growth in 2019. Some of its marquee customers include Google, Intuit, New Relic, and Salesforce.
Snyk’s Continuous Security Integration
The startup’s open source and container security management aims to help developers find vulnerability dependencies during coding rather than after the applications have been deployed. But when that doesn’t happen, Snyk can also upgrade or patch vulnerabilities. Underpinning these capabilities is a massive open source database that continuously monitors enterprise applications’ dependencies and responds to vulnerabilities.
The company recently started offering its security services free of charge for six months to organizations hit hardest by the pandemic including those in health care, hospitality, travel, and the entertainment industries.
Much of Snyk’s team already worked remotely prior to the pandemic. But this lack of visibility over developers can pose a security challenge for organizations not used to remote workers.
Plus, working remotely can also magnify existing challenges, like tension between security teams and developers. “Security has historically been very much about control, and that was already being challenged around visibility into what development teams are doing,” Podjarny said. “So at a high level, you need to shake off this illusion that you can centrally control what development is doing. That wasn’t true before. You’ve been kind of walking on this thin ice. And then the virus shattered it.”
However, as developers have accelerated the pace of software development through processes like continuous integration and continuous delivery (CI/CD), security has historically been left out of the loop, Podjarny said. Security teams “haven’t been supported as much as [and are seen as] naysayers. So what this kind of crisis does is it requires you to take a leap into what is a better future anyway, in which you succeed through empowering developers to do the right thing.”
How to Secure Code When the Dev Team Is Remote
Empowering remote developers to write secure code involves three core components, he said. First, it involves documenting best practices and guidelines to make it easier for developers to make good decisions. “It’s not just secure coding practices,” Podjarny added. “It’s also what should you do, what are the steps you should do, what questions to ask yourself to help you make good security decisions as you naturally make decisions as part of developing software.”
The second piece is to make sure developers use supportive tools, rather than enforcement tools, he said. So instead of “breaking the build” because of a security violation, Podjarny encourages fail pull requests instead. This tests only the new changes to code, which the developer can then fix in the case of a security flaw, and maintains the developers’ autonomy. “Don’t break the build,” Podjarny said. “But rather, surface it to developers. They need to play a role. It’s not just the security team that needs to change.”
And third, Podjarny suggests investing in security visibility. “Because not everybody is going to do the right thing, sometimes because they haven’t properly take on the responsibility, and sometimes because they haven’t been properly educated or equipped with tools.”
Investing in security visibility involves using instrument builds to capture dependencies packaged in applications, and posting vulnerabilities discovered in the build. Also, make leaderboards that show how different teams handle security issues and celebrate security achievements.
Rise of DevSecOps
All of these development tools and processes essentially build security into the software and application development process as opposed to treating security like an afterthought. And indeed, Podjarny believes that DevSecOps — embedding security controls and processes into DevOps — will be one of the lessons learned during this pandemic.
“It is fundamentally the right approach,” he said. “DevSecOps is about equipping teams that practice DevOps with the ability and empowerment to make security decisions.”