According to a recent Prosper Insights & Analytics Survey, over one-quarter of US consumers have not taken any steps to protect their digital/online privacy – and that means it is more important than ever for organizations to ensure their software and applications are as bulletproof as possible against bad actors. However, the rapid shift to digital and the fast-paced nature of business in today’s post-pandemic world, coupled with the growing and sophisticated threat landscape, continues to challenge even the most advanced security teams.
Something needs to change, and one company is arguing that the industry requires a new approach to security centered on developers. After all, developers have become the lifeblood of an organization’s digital transformation journey – but the faster developers move to bring new applications to market, the greater the chances for flaws or security issues within their code.
I recently had the opportunity to speak with Peter McKay, CEO of Snyk, about the rise of developer-first security, its impact on the industry, and how Snyk is making embedding security easy so that developers (and their software) are set up for success from the start.
Gary Drenik: Cybersecurity is top-of-mind for companies around the world and there are a lot of vendors on the market, but Snyk has a completely unique approach. Can you explain what developer-first security is?
Peter McKay: Developer-first security is an approach that embeds security early into the software development lifecycle — where it is faster and more efficient — not downstream as a post-build activity. In many ways, this is a complete departure from how organizations traditionally thought about security. Rather faster than securing platforms and applications after-the-fact with point solutions, this approach integrates security at the code-level, so organizations are able to innovate without compromising security.
That being said, developers are not always security experts – which means they need the right tools, practices, and support to have security start with their team. This is where the Snyk Developer Security Platform comes in. Simply put we make embedding security easy for developers. Our platform is the only solution to provide security visibility and remediation for every critical component of the modern application, including the application code, open-source libraries, container infrastructure and infrastructure as code.
Drenik: Why do vulnerabilities exist in the development process today?
McKay: Every one of the world’s developers, expected to reach 40+ million by 2025 according to IDC, would choose to build secure software over insecure software if it was the same effort. However, there has historically been too much friction in the process that makes security hard for developers to do. A big part of that is products are rarely built with the developers’ challenges or needs in mind. Incorporating security (without the right tools) requires adopting a process that is disruptive to your workflow. Our goal is to make security as easy as it can be, seamlessly weaving it into each developer’s existing workflow.
Drenik: The pandemic accelerated digital transformation, but cybersecurity has not necessarily kept up with the pace of innovation. How can organizations ensure that they are bringing new applications to the market as quickly as possible without compromising safety?
McKay: Security needs to be embedded into developers’ workflows so that it is possible to scale without slowing the pace of innovation required in this digital-first, post-pandemic world. Finding and fixing security vulnerabilities during development (rather than after) accelerates software delivery, eliminates bottlenecks, achieves scale, and ensures that companies are building software that is more secure. One key benefit is that development teams are empowered to become more self-sufficient – embedding security into their continuous development process means they no longer have to wait for anyone else to give them the green light to keep moving fast on the road to digital transformation.
Drenik: There is a widespread shortage of cybersecurity talent – and while no developer wants to be associated with an app that was hacked, they also do not necessarily have the desire or bandwidth to become security experts themselves. What can business leaders do to close this gap?
McKay: It is true that no developer wants to be associated with an app that was hacked – but, again, that is becoming more challenging for a number of reasons. Despite the rise of cyber threats, many are not taking the appropriate steps to protect themselves even as they turn to apps for more and more critical tasks in both their personal lives. For example, more than half of US adults use their smartphones for banking, according to a Prosper Insights & Analytics Survey, but over one-quarter have not taken any steps to protect their digital/online privacy.
This means it is largely up to the software providers to provide security, but like you mentioned, there is a pervasive cybersecurity talent shortage with 3.5 million unfulfilled security jobs. The pool of skilled developers, on the other hand, is growing exponentially every day, so empowering them to build software and applications more securely is one way to help to bridge this gap.
As an industry, we need to equip developers with the ability to proactively address vulnerabilities and continuously implement security throughout the software development lifecycle.
Drenik: Can you provide some real-world examples of how Snyk customers are taking a developer-first approach and how this has impacted their business?
McKay: Today, Snyk is used by millions of developers at more than 1,500+ organizations around the world, with our ultimate vision to each one of the world’s developers.
One segment in particular where we saw great momentum in 2021 that is continued into 2022 is financial services.
I am proud to say that many of the world’s most well-known and respected financial services institutions are now embracing our developer-first approach to support their digital transformation efforts, ensuring their applications are secure from code to cloud.
Drenik: What are the main cybersecurity issues and threats that organizations should be paying attention to in 2022? What can they do to avoid falling victim?
McKay: One issue we continue to pay very close attention to is the log4j vulnerability and its ongoing impact on software supply chain security.
At the time, the issue was first exposed in December 2021, Snyk data showed that over 60% of projects using log4j were using it indirectly, and half were using it in multiple paths – meaning that, without being proactive, organizations might not even realize they were impacted until it was too late.
You can read more about Snyk’s analysis and recommendations for remediating the developing situation here.
While the severity and frequency of threats may increase, businesses will be better prepared if developer-first security becomes the industry standard in the near term. Applications built securely will break the tradition of add-on security measures, while trimming costs and boosting productivity – and because more secure applications will lead to more secure businesses, businesses can thrive by reducing risk and differentiating by innovating securely.
Drenik: Thanks Peter, for your insights on developer-first security and what we can expect from the future of secure innovation.