We’ve been scanning for vulnerabilities for a very long time (over 20 years for me), but the shift away from device vulnerabilities to application vulnerabilities creates some new challenges. Applications in the modern, digitally transformed world are much more complex. They include open source components and custom code, are deployed in containers, and run in both cloud and on-premise environments. How do you effectively identify and remediate vulnerabilities in across this vast application surface?
Enter various new application security markets to try to address the challenges. For this article, I want to focus on two: Software Composition Analysis and Container Security, as both try to solve the challenges of third-party components and libraries. The basic concept is simple – scan third party binaries and libraries included in my code or container for vulnerabilities and report on them. But how deep do these scans go? Can they identify hidden vulnerabilities in binaries and libraries that are 2, 3, or even 4 levels deep? It’s these transient vulnerabilities that are hardest to find and can lead to application compromise.
This is where Snyk provides some very interesting capabilities. By using an application graph, Snyk can visualize all of the dependencies within your code or containers, and not just the direct dependencies. Snyk recursively identifies third-party dependencies and their associated vulnerabilities, making it easier to find those hidden vulnerabilities in your code and containers.
By using Snyk, both developers and application security professionals can truly understand and resolve their vulnerabilities by providing:
- Deep visibility into applications and containers
- Ease of use by developers
- Intelligent and accurate context to easily remediate vulnerabilities
To see an overview of Snyk, watch the interview on Application Security Weekly here.