igor - Fotolia
Snyk, a maker of security tools for developers, has introduced new features that help developers prioritize which code vulnerabilities most urgently to avoid hacker intrusions.
The vendor's new prioritization capabilities help developers and security teams identify and fix the most critical vulnerabilities for open source code and containers in the development process, said Aner Mazur, chief product officer at Snyk.
Snyk's tools focus on baking in security early in the development lifecycle, an approach known as shifting left. The new features give developers a Priority Score for vulnerabilities that directs them to fix the most pressing problems first.
"You have to empower developers to take ownership of the security process based on the organization's security policies by embedding these capabilities into the development lifecycle," Mazur said. "Developers and security professionals have to know where to start."
Prioritization helps enterprises avoid attacks from would-be intruders by helping developers mitigate vulnerabilities that pose the greatest risk.
"This is good for transparency and trust between security teams and developers, because security is more relevant as it is integrated into the development lifecycle," Mazur said.
The evolution of prioritization
Years ago, security pros would present developers with a laundry list of security issues, but little context as to what was most important or of greatest risk.
"So, what should be prioritized? It's not just the criticality of a vulnerability -- though that's important -- but it's how that vulnerability presents itself in the product," said Sandy Carielli, an analyst at Forrester Research. "Does the product's code path touch that vulnerability often or never? That context matters. Imagine being told that it was absolutely urgent that you replace a car's headlight only to find out that the car in question is sitting in a garage and won't be driven for another six months."
Prior to adding these new features, Snyk would prioritize vulnerabilities in development projects using severity information such as the Common Vulnerability Scoring System (CVSS) score. CVSS provides a good sense of the severity of a vulnerability in isolation when it was discovered, but it doesn't include any context about how a user works with the software. With the prioritization features Snyk introduced this week, developers get severity information along with a wealth of contextual information, Mazur said.
For instance, it provides information on public exploits already available for the vulnerability. It checks to see if the vulnerable function in the open source library needed to exploit the vulnerability is actually reachable from the developer's own code. And in the case of projects run in Kubernetes, it determines whether the workload is configured to help mitigate the vulnerability.
Sandy CarielliAnalyst, Forrester
"With the combination of the initial severity, and a range of contextual factors, Snyk can provide a much clearer picture of which vulnerabilities need to be fixed first," Mazur said.
Building on the Priority Score, Snyk provides tools for enterprises to manage prioritization at scale, with comprehensive reporting and tooling that enable security teams to define their policies to influence the prioritization.
"Good prioritization tells a developer not only which security findings are the highest risks, but why," Carielli said. "It also provides the security team with the context to understand whether a finding is truly high risk, so it helps stave off conflicts between security and development. All of this helps the development team make the most efficient use of their time and build a more secure product."