Techstrong TV: Bettering Container Security

Sysdig and Snyk recently announced a container security partnership. Together, the integration of Sysdig Secure with Snyk Container will cover container security from development through operations. The integration allows teams to eliminate up to 95 percent of vulnerability alerts using runtime intelligence from Sysdig Secure with Snyk Container. The video and a transcript of the conversation are below.

 

Recorded Voice:         This is Digital Anarchist.

 

Alan:                           Hey, everyone. Welcome to another Techstrong TV interview segment here. I have two folks I wanna introduce you to. One’s been on our show a few times already, I think, in the past. One, I’ve done webinars with, but I don’t think I’ve ever bought him on Techstrong TV. Lemme introduce you first to Eric Carter. Hey, Eric, welcome. It’s your first time on Techstrong TV.

 

Eric:                            Yeah, I’m excited. Thanks, Alan.

 

Alan:                           We always give extra points to people who have guitars in the background, man, so.

[Laughter]

 

                                    Welcome, welcome.

 

Eric:                            Yeah, that’s my cool factor. Exactly.

 

Alan:                           Yeah. That gives you a little – wait, was that a keyboard I saw when you moved, there?

 

Jim:                             Multiple.

 

Eric:                            Yeah, yeah, man. It’s a band.

 

Alan:                           So you got two? Oh, double instruments. Good for you. Good, man. Eric, why don’t you introduce yourself to the audience?

 

Eric:                            Sure. Hey, real simply, I am responsible for product marketing here at Sysdig that relates to our partnerships, thus here I am with Jim from Snyk.

 

Alan:                           Excellent. And you know what, Eric? We’ve interviewed so many people from Sysdig over the – well, over the course of these last two years of COVID nonsense, but – here on Techstrong TV. But there might be people who are not familiar with Sysdig still. Why don’t – if you don’t mind, before I introduce Jim, give ’em a quick Sysdig background.

 

Eric:                            Yeah, sure. Our goal is to help customers securely and confidently run their cloud native and cloud applications. And so what we do is provide the visibility and security that helps them do that. And you’ll hear a little bit about how that’s tapping into Snyk in just a minute.

 

Alan:                           Cool, man. And then Jim, if you don’t mind?

 

Jim:                             Yeah. Yeah. Well, it’s great to be here. Thanks for having us. So I run product marketing here at Snyk and specifically handle our Snyk Container product, which is obviously a key part of this – key part of this integration and this partnership. So really excited about that.

 

Alan:                           Yeah. And I should mention it’s Jim Armstrong from Snyk.

 

Jim:                             Jim Armstrong. That’s it. Yep. You got it.

 

Alan:                           Well, we like to give you the full name. Your parents, your significant others may be watching. It’s _____ – it’s big for them. So guys, we – I guess we kinda let the cat outta the – well, our audience is very familiar with Snyk. But why – maybe someone’s not. Maybe we need – maybe they think, but they’re not sure. Jim, why don’t you give ’em a little Snyk background?

 

Jim:                             Yeah, absolutely. So Snyk is a developer-focused security company. So Eric mentioned securely running the applications. We’re focused very much on the far left side of that, as far left as you can get, and how those applications get built, and helping the developer secure the code, the containers when they’re crating them, and those kinds of things very early in that process.

 

Alan:                           Excellent. All right. So we – we’ve got you both on – if our audience hasn’t guessed already, and you guys have alluded to it, we – we’ve got a little collaboration going on here. Who wants to lead off telling us what – what’s happening?

 

Jim:                             Yeah. I’ll take it.

 

Alan:                           You gonna make me pick? Eric, you go first. That’s why they pay me the big bucks. I make those kinda decisions.

 

Eric:                            Yeah, you want me to make first? I’ll lead it off.

 

Alan:                           Go ahead.

 

Eric:                            We – one of the things that we – both from Snyk’s perspective and our perspective, we hear from customers all the time, “Hey, we want – we want these solutions, the developer and the running – to integrate better together. We need a better workflow.” So we’re responding to that by kinda creating this partnership, to one, kinda make sure that customers have a complete solution when they’re think – because the lines have been blurred in the world of containers between devs and ops and security people. And so by coming together, we’re providing kind of this entire spectrum. And then we didn’t stop there, which is something we’ll talk about, which is we’re actually able to use the strength of – Sysdig’s the leader in runtime security helping the leader in development security by providing feedback that helps to address vulnerabilities in a more effective way. And Jim can talk a little bit more about that.

 

Jim:                             Yeah. It’s a hundred percent true. So the big sort of dirty secret on containers is you run a vulnerability scan and you get this – you get this spreadsheet that’s hundreds of vulnerabilities long. And I’m not sure anybody really wants to or likes to deal with any of that. And I think for a developer, it’s really hard to even sorta figure out how to deal with that. So we’re – we’ve been integrated into that process really early. But the great thing about this partnership and this integration with Sysdig is we get those runtime signals and feed those back to the developer, so the developer can see exactly what things are the most important parts of their container and what things need to be fixed first. So that’s, in my geeky view, the most exciting piece of this.

 

Alan:                           So lemme see if I can give people a layman’s kinda overview here. And keep in mind, I started a company that was doing vulnerability management in 2005, so I know a little bit about this stuff. You’re right. Container vulnerability scanning is even – our vulnerability solution at the company I used to work for was called VAM, Vulnerability _____ Management. We found out that our customers used to call it the bad news generator because it was a bad news generator, right? You would scan your network, and like you said, you’d get a telephone book of things that needed to get done. And it just – I mean, it made work for people.

Back then, it only made work for security people because the developers, that wasn’t their problem, right? It was already deployed. No one scanned pre-deployment. What were we thinking? Containers exasperate that because we – when we scan for containers, we’re scanning container configuration, whether that’s in Kubernetes or whatever you’re using, the configuration of these containers and the stack they’re running in. And then we’re scanning payload of the container.

And you have an application that’s distributed over dozens of containers with a little payload in each of them. And how – and then it’s not just the payload in that container, but how does the payload in this container interact with the payload in that container? Does that create some sort of dependency or vulnerability? It’s a nightmare. It’s hard, right?

 

Jim:                             Yeah.

 

Alan:                           And Snyk does a really good job of it. What I’m hearing, though, is now, “Sneak” or “Snick” – Sneak?

 

Jim:                             “Sneak.”

 

Alan:                           Snyk and Sysdig. Sysdig does a really good job of that, I might add, not Snyk. Snyk works with developers. But now developers, using Snyk, will be able to get feedback loops from Sysdig scanning and helping them make heads or tails and prioritize what we’re seeing in these – I’m gonna imagine it’s the container payloads, not the container configs. Or is it both? Eric, that might be a thing you could answer.

 

Eric:                            It really is looking at – we identify the container, but we also identify what’s actually running. I was thinking about this this morning, right? And our approach is we’re observing everything happening in a running environment. We do that at the system call level, which people that know Sysdig know that’s our claim to fame. Our founder Loris helped create this solution. And he likens it to a security camera.

So by having that security camera, we’re able to actually see – like, let’s say we see the car approaching. We can see not just the car, we see who’s driving the car. And in this case, we’re able to actually pass that information back, like, “The passengers are fine. What we really need to check is that driver,” right? And so in this case, we can get a container with a bunch of stuff that’s in it, but they’re not really doing anything. So if the vulnerability is in an active package, that’s what you wanna fix first.

Now, in our testing – initial testing – one of the examples, it’s like there’s a thousand vulnerabilities in this container. Snyk does a good job of saying, “To get rid of most of these, you can use – upgrade to this container base image.” Then you click this Execute button and it says, “These are the things that actually run in the environment.” So we went from a thousand to three that you really needed to pay attention to. So think about that percentage. It’s like – we’ve seen up to 95 percent reduction in noise, which is really – developers are gonna be really excited when they can turn some –

 

Alan:                           No, that’s huge. I got news for you. Not only developers are gonna be really excited, the security people will be really excited too.

 

Eric:                            Absolutely. Absolutely.

 

Jim:                             Yeah.

 

Alan:                           You know what I mean? It’s not job security – you know, security people are getting fired because there’s a lack of vulnerabilities in the world? You know what I mean? But just having less vulnerabilities that are front and center, that are hot, is a huge help to them as well. And Jim, this is – this is sort of new ground, if you will, for Snyk. ‘Cause when we think of Snyk, we think about, really, pre-deployment developer security for the most part, right?

 

Jim:                             Right.

 

Alan:                           And now, we’re moving into a post-deployment feedback loop situation, which is a bit of a – an expansion, if you well. So how will we deal with this? Is this via APIs? Is there some formal, one-off sort of integration between the two? Is there a common interface? What are plans maybe going forward for interface in – integration? I’ll let the both of you chime in.

 

Jim:                             Yep. Yeah, we’re essentially sharing information. So both Snyk and Sysdig are gonna be in your Kubernetes clusters. That’s a natural byproduct of using Snyk and Sysdig anyway. But when we’re both in the cluster, we can recognize the fact that the other one is there, and we exchange that information. So it’s really – from a customer’s perspective, setting this up is not – there’s nothing special or extra or additional that they need to do that’s complicated, to make this work. They just talk to each other and share that information.

If you’re a Snyk user, then you’ve got your Snyk results that you see anyway. You just get this extra bit of metadata, that executed box that Eric talked about, which basically just knocks out all the noise, the stuff that you don’t have to worry about. So as an interface goes, wherever developer sees the Snyk results, which isn’t always – in fact, probably is not often in the Snyk UI. They probably see it in other tools that they’re using. But wherever they see those results, they can just filter that right, straight down to the things that are being executed. So really nice and simple setup and integration of these two.

 

Eric:                            And Alan, you mentioned the security people. Now imagine a security person who’s now saying, “Hey, I’ve looked at your reports and there’s all these vulnerabilities.” Well, the developer and the security person can now – be able to say, “Hey, no, but look. These are the ones that are actually running. These are the real threats. We want to address as many vulnerabilities as possible, but doesn’t it make sense to address the ones that actually get invoked at runtime?” And that’s as simple as this is.

 

Jim:                             Yeah. Yeah. It’s –

 

Alan:                           Absolutely.

 

Jim:                             I was gonna it’s a – it’s a huge help, I think, for security ’cause it’s – the burden for this often falls on security’s shoulders, to go through that long list of vulnerabilities and for them to try and figure out, which of these are the ones we should tell developers to focus on, and what are we gonna open tickets for? And this can take a lotta that work, I think, right outta the way. So this is gonna be great for them.

 

Eric:                            And look, one of the headlines, Alan, was that we are helping the developers, DevOps, DevSecOps, SecOps, call ’em what you want – that these folks can now, I guess, more – work better together because there – there’s kind of a shared set of information and data. And obviously the more we fix and then it runs, there’s less issues for the DevOps or DevSecOps people to chase down. So that’s what we mean by not just having this integration, but providing that complete kind of coverage and picture for these organizations.

 

Alan:                           Sure. Couple things. So when you say they’re sharing information within, let’s say, the Kubernetes environment, how exactly are they sharing it?

 

Eric:                            When I refer to that, I’m referring to that we’ve discovered this information, that we’re making it available via API. Snyk’s _____ will grab that –

 

Alan:                           So it is – it’s an API direct from [crosstalk] to Snyk?

 

Eric:                            Yeah.

 

Jim:                             Yeah.

 

Eric:                            Absolutely. They come by and periodically check that, and, “Hey, this is – ”

 

Alan:                           Meaning it’s not information hanging out in the ethosphere that someone else could grab?

 

Eric:                            No.

 

Alan:                           It’s not meant for everyone to see, obviously.

 

Eric:                            It all happened – we’re both great partners with cloud providers like AWS. It all will happen in your AWS environment or wherever you’re running it. And so yeah, it’s kind of a direct connection, as Jim said, when we’re both installed and instrumented for that Kubernetes environment.

 

Alan:                           Absolutely. Jim, I mentioned this is a bit of an expansion for Snyk. We’re recording this with a time and place, but of course Snyk announced a further expansion into the cloud today with the acquisition of Fugue. And I’m just – I mean, it makes sense to me. Is there – does this play in there somehow, helping – again, the more – the more the better, the more the merrier when it comes to cloud security, certainly. Does this have any kinda play in that, does this integration?

 

Jim:                             Yeah. I think it – I think it underscores exactly what you said, which is customers want that breadth of security and support, and they wanna see the vendors like Snyk and Sysdig integrate and share information for the right audiences. I think that our strengths are – as independent companies are we’re very dev-first, very dev-focused. And that’s where this Fugue integration – acquisition is very focused on that. And I think Sysdig is clearly a leader in the runtime security, behavioral, analytics, incident response, and forensics, and a number of other categories, too. And so I think it definitely shows off that breadth and sort of underscores what customers want. And I think this is a – this partnership is a great signal for that for sure.

 

Eric:                            Yeah. I think it reemphasizes our mission, Jim, which is really broadening the context and what’s available. And like you said, starting with our open source project Falco, which Alan, I think you’re aware of – that is – that is the underpinnings of what we do with Sysdig Secure, which is what we’ve integrated with Snyk Container. And that’s that real-time behavioral analysis that we’re known for, that’s a part of this. And the more tooling you can get to broaden the visibility and security – this is really – it’s great.

 

Alan:                           So guys, I did BizDev for a really long time, so I know – I know my strategic partnerships like this. No one does just a one-off, right? There’s gotta be a phase 2, a phase 3, big plans down the road. What comes next for this partnership?

 

Jim:                             I think right now, we’re – this first part of the partnership is super exciting to us. We’ve got – we’ve had a few briefings with some customers ahead of time, and all of them are super interested in what we’re building here. So I think we’re excited to get this first one out the door. To your point, though, I think we’re excited to hear what customers see and what customers say about this and explore what we do next.

So it’s definitely been – I know from Snyk’s perspective, this has been a fantastic partnership. It’s been great working with the Sysdig team for the last couple months on this and getting prepared for this. And it’s just a – it feels like a much different partnership than others I’ve experienced, not just at Snyk, but lots of other companies before. So this is – it’s a really unique opportunity I think both of us are excited about.

 

Eric:                            And Alan, there is a lotta talk about culture and company culture. And I think this has been a good marriage, if you will – and it even goes to the top, like the – Peter McKay, the CEO of Snyk, and Suresh Vasudevan have worked together in previous lives. So it’s almost a natural fit down to the bottom, right?

 

Jim:                             Yeah.

 

Alan:                           Good. Glad to hear it. Hey, guys, for – audience maybe wanna find out more about this integration, more about this partnership, I imagine it’s both on the Snyk and Sysdig’s websites. Where can – just go to the front page of Snyk.com or Sysdig.com and look under “News,” or where do you find this?

 

Eric:                            Yeah, exactly. Right on our front page today, there’s the – a blog that we’ve written. You can get to the PR – we have a partner page. And then all that links directly to what Jim has written about the partnership on Snyk.com – or Snyk.io, pardon me.

 

Jim:                             Snyk.io, yeah.

 

Alan:                           My fault. Snyk.io. You’re right. Cool. Well, guys, congratulations. This sounds like a great partnership. And the real winners are the people out here watching this, developers and security folks who are looking to make lives easier and be more productive and stop the bad news generators. I wish you both success. Come back and keep us posted, okay, guys?

 

Eric:                            You bet. Thank you, Alan.

 

Jim:                             Sounds great. Thanks, Alan.

 

Alan:                           All right, Jim Armstrong, Eric Carter here on Techstrong TV. We’re gonna take a break, and we’ll be right back.

 

[Music Playing]

 

[End of Audio]

 

 

 

 

Alan Shimel

As Editor-in-chief of DevOps.com and Container Journal, Alan Shimel is attuned to the world of technology. Alan has founded and helped several technology ventures, including StillSecure, where he guided the company in bringing innovative and effective networking and security solutions to the marketplace. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events. In addition to his writing on DevOps.com and Network World, his commentary about the state of technology is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.

Alan Shimel has 54 posts and counting. See all posts by Alan Shimel