Snyk Reviews

I lead a code security practice for our organization. We integrated Snyk into our GitHub, using CLI to automatically scan codebases and identify issues. We are a large organization with three independent entities, consolidating Snyk across all entities. 

We also provide access through numerous CI/CD tools. Our default implementation mechanism is CLI, but we also use the Web UI for a comprehensive view and recommendations.

For large organizations like ours, cost is a major factor. Snyk is the most cost-effective solution compared to others like Check Point. 

We consolidated Snyk across three entities that used different tools. As a result, our organization became one of the largest in implementing Snyk.

We use some legacy and some new languages as we are aiming for serverless solutions. We're using serverless as is and with Python. We import it to Snyk to do SAST scanning for every one of our repositories on the Bitbucket pipeline. At least 350 repositories, including libraries and some automation such as robots or scripts. We have a huge background in using this tool.

We have seen an improvement this month. My security team told me, "We need to break your pipeline if the tools present critical and high-end security issues on the code, so this code cannot go to a staging or homologation environment." I then made improvements to the tools, which were not cheap. But it's a standard feature and a customer need, so I do this, then we apply. Using Snyk, we get the results and the reports and deploy the applications with high-end critical issues of security such as DoS or Cross-Site scripting, any kind of present, on the Snyk IO solution.

The best feature of Snyk is the integration with our ticketing system, which is Jira. That integration was one we were specifically looking for. The deep integration with our IDE and repository is another valuable feature. In terms of deploying these features, it's seamless.

Snyk should improve the scanning capabilities for other languages. For example, Veracode is strong with different languages such as Java, C#, and others. However, Snyk performs better at mobile source code scanning compared to Veracode. If both capabilities were combined, that would be exceptional.

As we are moving toward GenAI, we expect Snyk to leverage AI features to improve code scanning findings. One key feature we are currently examining with Veracode is AIVSS (Artificial Intelligence VSS), which is an extension of CVSS to cover use cases or top 10 LLM findings during code scanning. Since this is relatively new, we expect upcoming features to cover AI scoring. We have AI projects currently deploying in our organization, and we want to cover not only normal CVSS but also receive an AI assessment score. Both Veracode and Snyk should implement this new scoring system for CVSS and AIVSS.

The main tool today is used to check for security issues in our products. We use it to analyze all the projects, and our security efforts are based partly on this tool.

There are major impacts related to increasing security awareness and managing risks. Snyk has been an essential tool in that aspect.

We are using an enterprise version of Snyk for image scanning. We use Snyk to identify and address vulnerabilities in our open-source dependencies and to scan the Docker images.

The solution's Open Source feature gives us notifications and suggestions regarding how to address vulnerabilities.

The major problem my company found in relation to our customers was in the area of Zip Slip security as they don't have any security tools in place. My company's customers don't have any security tools integrated into the CI/CD pipelines they use in their company. With Snyk, SCA checks code and third-party dependencies upfront.

When it comes to Snyk, it is not about its features since it is a developer-focused tool, making it possible for developers to easily integrate the tool with other solutions. The automation part and reporting feature of the solution are good. Nowadays, people opt for Cloud Native Pod system architecture, under which good tools are offered to users to use for their applications.

I use the tool in my company to scan open-source projects.

I don't use Snyk anymore. The tool is just used in our company, but not by me anymore.

It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.