Snyk Founder Guy Podjarny, left, and CEO Peter McKay (Snyk)

DevSecOps company Snyk — one of the most watched companies in cybersecurity with an $8.6 billion valuation — announced Thursday it acquired cloud security posture management (CSPM) company Fugue, a move that puts Snyk solidly in the cloud arena.

Guy Podjarny, founder of Snyk, said by joining forces with Snyk, Fugue’s CSPM capabilities will extend the Snyk Developer Security Platform, creating one of the industry’s first CSPMs designed by and for developers.

“As the role of developers has evolved to now include the continued security of applications after they are deployed, Snyk has joined forces with Fugue to now empower global DevSecOps teams to secure their code before deployment as well as maintain its security once running,” Podjarny said. “Together, we look forward to reaching more developers in more places in 2022 and beyond.”

Podjarny said later this year, a newly launched Snyk cloud platform will unite and then extend Snyk’s Infrastructue as Code (IaC) and Fugue’s cloud security capabilities. This will help developers secure their code before deployment, maintain its secure integrity while running, and better understand the precise places to provide fixes back in the code.

The marriage of Snyk’s secure development world with Fugue’s CSPM was viewed by analysts as a good move for both companies.

“This is a good move for Snyk as part of its developer-first approach,” said Melinda Marks, a senior analyst with the Enterprise Strategy Group. “With the growing use of IaC, such as Terraform and CloudFormation, developers are using templates and scripts to rapidly provision their applications and infrastructure to the cloud. There’s a high chance of mistakes, and if there’s a code flaw or misconfiguration, it can expose customer or company data if deployed in production.”

"Snyk has not really been a cloud security vendor, even though it’s applied to security use cases in the cloud,” explained Frank Dickson, program vice president for security and trust at IDC. Dickson said Snyk has aggressively carved out a niche in secure code development by validating the posture of open-source code and code dependencies used in active applications. 

“Essentially, it’s a tool that application developers use to ensure that code is valid before leveraging it in applications rather than having security professionals check the code at deployment,” said Dickson. “It services that ‘ounce of prevention is worth a pound of cure’ use case. The acquisition of Fugue opens the aperture of Snyk from build and deploy phases now include active production environments. In the past, Snyk would depend on partnerships with companies like Trend Micro for such visibility, so Snyk is now better able to appeal directly to CISO use cases by continually validating the legitimacy of code in actively deployed applications.”