Docker Inc. is the latest provider of tools for building containerized applications to partner with Snyk following an alliance between the two companies revealed this week.
Justin Graham, vice president of products for Docker Inc., says container vulnerability scanning tools from Snyk will be embedded in future versions of Docker Desktop tools for building applications and the Docker Hub repository for storing container images, which are due in the third quarter. The goal, he says, is to provide developers with the tools needed to discover vulnerabilities as they build applications versus addressing them after an application has been deployed in a production environment.
The alliance with Docker comes on the heels of a similar relationship established between Snyk and Red Hat through which Snyk tools for scanning containers will be embedded in application development tools provided by Red Hat.
Aner Mazur, chief product officer for Snyk, says that as developers are held more accountable for cybersecurity it’s clear many more of them are looking for tools for securing applications that act as a natural extension of existing application development and deployment processes. As such, Snyk has been focused on extending the reach of its tools via alliances with vendors that provide those tools and platforms that are developer-centric, he says.
In general, there’s a lot of hype surrounding the rise of best DevSecOps practices. However, it’s only been until recently that the tools developers require to secure applications have become more widely available. Many IT organizations have been encouraging DevOps teams to take on more responsibility for application security, which often results in late-night calls for updates to applications whenever a severe breach is discovered.
Of course, the goal is to eliminate the need for that call in the first place. Historically, cybersecurity teams have shared lists of vulnerabilities that should be remediated but have little to no context concerning their severity. Developers have attempted to balance those requests against other bug fixes and demands for new application features with mixed success. Snyk tools should make it possible for developers to discover vulnerabilities on their own before their code is merged, thereby streamlining whatever DevSecOps process are employed.
If vulnerabilities are discovered, it then becomes a matter of determining whether the vulnerabilities are the result of an error by a developer or something that needs to be addressed by upgrading the platform on which applications are being built and deployed. The challenge, of course, is that platform upgrades might break existing applications, so IT teams need to be careful in deciding how best to go about addressing vulnerabilities, notes Mazur.
On the plus side, however, those decisions will be better informed than ever because developers will have a lot more visibility into vulnerabilities being created and discovered, assuming they are smart enough to fix issues they are likely to lose sleep over later on.