Snyk unveils new ASPM offering to help DevSecOps manage cloud application risks

Developer security solution provider, Snyk, has launched an application security posture management (ASPM) offering, dubbed Snyk AppRisk, to help application security (AppSec) teams monitor and manage their cybersecurity programs better.

The offering will feature a workbench, which will allow developers and security teams to collaborate and address cybersecurity challenges through asset discovery and risk-based prioritization.

“Snyk has been known as a pioneer in developer-focused tools to help developers better incorporate security into their development processes and free up security from being a bottleneck to faster cloud-native development cycles. It was mostly known for its software component analysis and software supply chain capabilities,” said Melinda Marks, senior analyst at ESG. “This (launch) helps them extend their brand as a broader application security vendor for modern, cloud-native development.”

Snyk AppRisk will be available in two editions. AppRisk Essentials, available immediately, will target existing Snyk customers and work only with Snyk tools. In early 2024, the company will launch AppRisk Pro, an enterprise-focused offering that’ll work with Synk and non-Snyk developer security tools.

Automating asset discovery, security controls, and risk prioritization

Snyk AppRisk combines the existing capabilities of the Snyk developer security platform — including telemetry and security controls — with an ASPM workbench and a set of new abilities for the DevSecOps teams.

AppRisk offers the ability to automate application asset discovery, which allows security teams to configure the ASPM workbench to discover application assets and classify them by business context continually. This context-based classification combined with Snyk’s existing controls to analyze and quantify risks powers the new risk prioritization engine.

Additionally, the new offering allows the DevSecOps teams to define and manage appropriate security and compliance requirements, while verifying applications have the correct controls in place, according to Snyk.

Visualization and context for prioritization are key

According to Marks, Snyk will have to focus on two key areas for the new offering to be effective. These include the ability to have a granular visualization of the application assets and an effective quantification of risks with a focus on the context used.

“Vulnerability management is challenging with cloud-native applications because there are multiple layers to test and scan to effectively manage risk, including infrastructure as code, custom code, container images, third-party code, and other dynamic and often ephemeral elements,” Marks said. “It’s necessary to scan to catch possible issues, but the number of alerts can be overwhelming to prioritize remediation in time to prevent incidents or reduce the impact of a breach. These types of solutions that help provide the context of how the applications are built and the connections to the resources that they are making help application security teams understand what needs attention so they can work efficiently, prioritizing what needs urgent attention.”

Snyk’s consolidation of application security controls could be comfortably termed as a cloud-native application protection platform (CNAPP) offering instead of an ASPM offering, Marks remarked adding that, “application security is a growing area for overall security risk management with the increased adoption of cloud services, and we can expect to see organizations consolidating their tools to optimize efficiency for their security teams.”