Snyk this week announced it will make available a stand-alone container security offering designed to be employed by organizations embracing best DevSecOps practices within a Kubernetes environment.
Company president Guy Podjarny says Snyk Container scans workloads running in Kubernetes environments for application and operating systems vulnerabilities. Previously, the company only provided a platform for detecting vulnerabilities in open source code based on a vulnerability database curated by Snyk.
Snyk Container is available as a software-as-a-service (SaaS) application that can be invoked from within a continuous integration/continuous delivery (CI/CD) platform. Scanning for vulnerabilities has become more problematic as the number of containers employed increases alongside the rate at which those containers are ripped and replaced.
As a result, Podjarny notes that DevOps teams don’t always do a great job documenting what versions of what code has employed in any given set of containers. That creates a requirement for an approach to scanning those containers before they are deployed in a production environment, he says.
While Snyk is focusing its cybersecurity efforts on DevOps teams that require a programmatic approach to cybersecurity, the company is also partnering with cybersecurity vendors such as Trend Micro that primarily focus on the needs to cybersecurity teams. The only way to compensate for the chronic shortage of cybersecurity professionals is to rely more on developers to programmatically embed controls within applications. There may some overlap in the capabilities provided by Snyk and partners such as Trend Micro; Podjarny says there is a need to bridge the divide between DevOps teams that are assuming more responsibility for cybersecurity as they manage infrastructure as code and teams that typically are responsible for defining cybersecurity policies. The goal is to provide an approach to cybersecurity that enables organizations to respond more adroitly to rapidly changing threat vectors at a time when the attack surface keeps expanding, says Podjarny.
Obviously, Snyk is not the only IT security vendor with similar ambitions. However, given the broad adoption of its cybersecurity platform for managing open source vulnerabilities, Snyk should be able to leverage existing relationships with developers to spur adoption of a container security platform. Less clear is to what degree developers will need to get the approval of their cybersecurity colleagues before deciding on what container security tool to employ.
In the meantime, IT organizations should take some comfort in the fact that, while there may be a lot more moving parts when it comes to containerized applications, the amount of time required to fix a vulnerability is substantially less than trying to patch an entire monolithic application. In fact, it’s common for monolithic applications with known vulnerabilities to run in production environments for months simply because the patch management process is too difficult. As organizations embrace containerized applications, the mean time to remediation of vulnerabilities will be sharply reduced. The challenge, of course, is now that it’s easier to build applications, that number of vulnerabilities could also substantially increase as well.