IT Central Station is now PeerSpot: Here's why
Director of Architecture at a tech vendor with 201-500 employees
Real User
Top 10
Clear setup documentation with easily readable APIs
Pros and Cons
  • "It is easy for developers to use. The documentation is clear as well as the APIs are good and easily readable. It's a good solution overall."
  • "We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful."

What is our primary use case?

We have been considering Snyk in order to improve the security of our platform, in terms of Docker image security as well as software dependency security. Ultimately, we decided to roll out only the part related to software dependency security plus the licensing mechanism, allowing us to automate the management of licenses. We have integrated Snyk in the testing phase, like in the testing environment. We are in the process of rolling the solution out across our entire platform, which we will be doing soon. The APIs have enabled us to do whatever we have needed, and the amount of effort for the integration on our end has been reasonable. The solution works well and should continue to work well after the full-scale roll-out.

How has it helped my organization?

We expect to get additional benefits in terms of validating our software security.  The solution does its job to help developers find and fix vulnerabilities quickly. So, it is working well. 

What is most valuable?

The platform's ease of use Good support from the customer success team  A transparent solution Functionally coherent and powerful The overall goal is to have a high security platform delivered in an easy way. This is in terms of the effort that we have to put in as well as cost. From this perspective, Snyk looks like the most promising solution. So far, so good. It is easy for developers to use. The documentation is clear as well as the APIs are good and easily readable. It's a good solution overall.

What needs improvement?

We would like to have upfront knowledge on how easy it should be to just pull in an upgraded dependency, e.g., even introduce full automation for dependencies supposed to have no impact on the business side of things. Therefore, we would like some output when you get the report with the dependencies. We want to get additional information on the expected impact of the business code that is using the dependency with the newer version. This probably won't be easy to add, but it would be helpful.
Buyer's Guide
Snyk
June 2022
Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
611,060 professionals have used our research since 2012.

For how long have I used the solution?

We have been using it for about three months.

What do I think about the stability of the solution?

So far, we have had no concerns regarding the solution's stability. We have had no downtime.

What do I think about the scalability of the solution?

The scalability is okay. When it comes to direct users who are managing it or doing the integration for Snyk, then there are a few developers from the team who own the solution. The goal is to roll this out across all services and supported technologies. Once we finish our rollout phase, then we expect to have full adoption. Thanks to our internal integration, teams will just be seeing the updated dependencies whenever they are available. So, Snyk will be doing the hard magic behind the scenes for everyone.

How are customer service and support?

The customer success team is a solid team. I liked their approach from the very beginning and after signing the contract. They kept things looking good, which is a good sign. We haven't had an opportunity to validate some hard cases with the technical support yet.

Which solution did I use previously and why did I switch?

We did not previously use another solution.

How was the initial setup?

The initial setup was easy and nicely documented. We have been managing the deployment with other initiatives that we are running. We haven't had major obstacles with the deployment so far. For our implementation strategy, we first worked on the plan of, "How do you want to integrate it?" We investigated the best setup, then we just went to the implementation phase from the research phase.

What about the implementation team?

One software engineer is enough for deployment and maintenance. We had to split the duties of this between several people, but one person is enough.  Keep extracting knowledge from the Snyk team. They are very helpful during the process, so make sure to use them.

What was our ROI?

The more security that we have, the more confident we are. You never know when you will be actually attacked. Hopefully, this will not be validated anytime soon in reality. However, by doing our penetration tests, we are validating the system on a regular basis, which will also help improve our overall confidence in this area.  It gives us peace of mind that there is nothing hidden that hasn't been taken care of. That is also important. The solution has reduced the amount of time it takes to fix and find problems.

What's my experience with pricing, setup cost, and licensing?

The pricing is reasonable.

Which other solutions did I evaluate?

For the Docker security feature use case, we decided to go with an open source solution (Trivy), because it is sufficient for our needs. Integration with Trivy was cheap and easy, which makes it cost-effective. Our current use case was simple enough that the existing open source tool was sufficient. Maybe there are use cases that are more advanced and sophisticated, where the open source solution would not be sufficient for an organization. In such cases, the benefits from the paid version would be worth the money. I think it boils down to the specific use case of a company. We were not able to find a sufficient, elegant solution for the dependencies part of our use case. That is why we invested in our partnership with Snyk. After evaluating paid and open source solutions, Snyk was selected as the best tool.

What other advice do I have?

I have heard from my team that it has a comprehensive database. Hopefully, it will work well during the production usage. Our hopes are high. So far, we haven't seen any downsides. We have our internal processes for maintaining and updating dependencies in general. We will be incorporating any suggested updates coming from Snyk into our internal, already-existing process and platform, with some additional effort from our teams. Hopefully, there won't be any major additional effort. Hopefully, cases needing additional effort for issues will be rare. We are using the SAST version of Snyk. Its complexity is reasonable. I would rate it as an eight out of 10.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Security Engineer at a tech vendor with 201-500 employees
Real User
Top 10
Helps us meet compliance requirements and educate devs on security in the SDC
Pros and Cons
  • "It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10."
  • "A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate."

What is our primary use case?

Since some of our development is using open source packages, we need a way to identify the vulnerabilities before using those packages for development. Using Snyk, we can identify all the safe packages, which to use and which to not use, and create a safe repository for developers.

The goal is to catch the vulnerabilities early within the process and fix them before they get to the security review where they can cause deadlines to be pushed out to fix them.

We're using the cloud version.

How has it helped my organization?

It helps us meet compliance requirements, by identifying and fixing vulnerabilities, and to have a robust vulnerability management program. It basically helps keep our company secure, from the application security standpoint.

Snyk also helps improve our company by educating users on the security aspect of the software development cycle. They may have been unaware of all the potential security risks when using open source packages. During this process, they have become educated on what packages to use, the vulnerabilities behind them, and a more secure process for using them.

In addition, its container security feature allows developers to own security for the applications and the containers they run in the cloud. It gives more power to the developers.

Before using Snyk, we weren't identifying the problems. Now, we're seeing the actual problems. It has affected our security posture by identifying open source packages' vulnerabilities and licensing issues. It definitely helps us secure things and see a different facet of security.

It also allows our developers to spend less time securing applications, increasing their productivity. I would estimate the increase in their productivity at 10 to 15 percent, due to Snyk's integration. The scanning is automated through the use of APIs. It's not a manual process. It automates everything and spits out the results. The developers just run a few commands to remediate the vulnerabilities.

What is most valuable?

  • The wide range of programming languages it covers, including Python
  • Identifying the vulnerabilities and providing information on how to fix them — remediation steps

It's very easy for developers to use. Onboarding was an easy process for all of the developers within the company. After a quick, half-an-hour to an hour session, they were fully using it on their own. It's very straightforward. Usability is definitely a 10 out of 10. Our developers are using the dashboard and command lines. All the documentation is provided and I've never had an issue.

We have integrated Snyk into our software development environment. It's something that is ongoing at the moment. Our SDE is VS Code.

Another important feature is the solution’s vulnerability database, in terms of comprehensiveness and accuracy. It's top-notch. It pulls all the data from the CVE database, the national vulnerability database. It's accurate and frequently updated.

What needs improvement?

We use the solution's container security feature. A lot of the vulnerabilities can't be addressed due to OS restraints. They just can't be fixed, even with their recommendations. I would like to see them improve on this.

A feature we would like to see is the ability to archive and store historical data, without actually deleting it. It's a problem because it throws my numbers off. When I'm looking at the dashboard's current vulnerabilities, it's not accurate.

For how long have I used the solution?

We have been using Snyk for a little more than a year.

What do I think about the stability of the solution?

The stability is very good. I haven't noticed any downtime.

What do I think about the scalability of the solution?

It provides easy deployment for different code repositories, so it's easily scalable.

We have about 20 to 25 users and it's being used very extensively, across all our applications.

How are customer service and technical support?

Their technical support is top-notch, a 10 out of 10. I have a Slack channel for direct discussions with support. And I have my account manager for any questions or issues I run into. Response time ranges between instant and three hours. If they don't know the question or the issue, they'll escalate. They'll have someone else join the Slack or give me a Zoom session.

Which solution did I use previously and why did I switch?

This is the first of its kind, that we are using.

How was the initial setup?

The initial setup was very straightforward. The integrations with our code repositories, like Bitbucket and GitHub, are direct. You enter their required information and just pull data from them. There was no setup for any additional VMs or anything else.

Developer adoption has been pretty positive, since it's easy to use. We have 100 percent adoption. They understand the need for security with software development. Everyone's happy with the product, and it allows them to catch vulnerabilities earlier in the software development cycle, rather than later, so they can fix them before they get to the security-review process.

The deployment took a few hours, maybe even less. I was the only one involved in the process. I just followed the directions. We just planned on identifying the specific repositories linking to Snyk, and then started scanning specific projects.

I also take care of maintenance of the solution and it takes less than 5 percent of my time. There is very little maintenance needed since it's a SaaS product.

What was our ROI?

We have seen ROI, although I don't have any data points on it. It's very valuable. It saves time for the developers and security team by quickly identifying things and fixing them before they get down the pipeline. It prevents the creation of additional roadblocks and complexity and the pushing out of deadlines to address issues once they are too far down the pipeline.

Which other solutions did I evaluate?

We didn't find any other options on the market.

What other advice do I have?

The biggest lesson I've learned from using this solution is the complexity of open source licenses. I wasn't aware of all the different types of licenses, and all the terms and conditions required to use specific open source packages.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Snyk
June 2022
Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
611,060 professionals have used our research since 2012.
Nawal Singh - PeerSpot reviewer
Senior DevSecOps/Cloud Engineer at Valeyo
Real User
Top 20
Provides information about the issue as well as resolution, easy to integrate, and never fails
Pros and Cons
  • "It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones."
  • "Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue."
  • "It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time."
  • "We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider."

What is our primary use case?

We are using Snyk along with SonarQube, and we are currently more reliant on SonarQube.

With Snyk, we've been doing security and vulnerability assessments. Even though SonarQube does the same when we install the OWASP plugin, we are looking for a dedicated and kind of expert tool in this area that can handle all the security for the code, not one or two things.

We have the latest version, and we always upgrade it. Our code is deployed on the cloud, but we have attached it directly with the Azure DevOps pipeline.

What is most valuable?

It is a nice tool to check the dependencies of your open-source code. It is easy to integrate with your Git or source control. 

It has a nice dashboard where I can see all the vulnerabilities and risks that they provided. I can also see the category of any risk, such as medium, high, and low. They provide the input priority-wise. The team can target the highest one first, and then they can go to medium and low ones. 

Its reports are nice and provide information about the issue as well as resolution. They also provide a proper fix. If there's an issue, they provide information in detail about how to remediate that issue.

It is easy to integrate without a pipeline, and we just need to schedule our scanning. It does that overnight and sends the report through email early morning. This is something most of the tools have, but all of these come in a package together.

It never failed, and it is very easy, reliable, and smooth. 

What needs improvement?

It would be great if they can include dynamic, interactive, and run-time scanning features. Checkmarx and Veracode provide dynamic, interactive, and run-time scanning, but Snyk doesn't do that. That's the reason there is more inclination towards Veracode, Checkmarx, or AppScan. These are a few tools available in the market that do all four types of scanning: static, dynamic, interactive, and run-time.

We have to integrate with their database, which means we need to send our entire code to them to scan, and they send us the report. A company working in the financial domain usually won't like to share its code or any information outside its network with any third-party provider. Such companies try to build the system in-house, and their enterprise-level licensing cost is really huge. There is also an overhead of updating the vulnerability database.

For how long have I used the solution?

It has been more than one and a half years. 

What do I think about the stability of the solution?

It is stable. I haven't had any problems with its stability.

What do I think about the scalability of the solution?

It is easy. We have integrated Snyk with two to four projects, and we do run scanning every week to check the status and improvement in the quality of our code.

Currently, only I am using this solution because I'm handling all the stuff related to infrastructure and DevOps stuff in my company. It is a very small company with 100 to 200 people, and I am kind of introducing this tool in our organization to have enterprise-level stuff. I have used this tool in my old organization, and that's why I am trying to implement it here. I am the only DevOps engineer who works in this organization, and I want to integrate it with different code bases.

How are customer service and technical support?

I've never used their technical support.

How was the initial setup?

It is really straightforward. If someone has set up a simple pipeline, they can just integrate in no time.

What's my experience with pricing, setup cost, and licensing?

Pricing-wise, it is not expensive as compared to other tools. If you have a couple of licenses, you can scan a certain number of projects. It just needs to be attached to them.

What other advice do I have?

I have been using this solution for one and a half years, and I definitely like it. It is awesome in whatever it does right now.

It is a really nice tool if you really want to do the dependency check and security scanning of your code, which falls under static code analysis. You can implement it and go for it for static code analysis, but when it comes to dynamic, interactive, and run-time scanning, you should look for other tools available in the market. These are the only things that are missing in this solution. If it had these features, we would have gone with it because we have already been using it for one and a half years. Now, the time has come where we are looking for new features, but they are not there.

Considering the huge database they have, all the binaries it scans, and other features, I would rate Snyk an eight out of 10. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Consultant
Real User
Top 5Leaderboard
Automatically creates PRs and fixes the issues, but the knowledge base can be more extensive
Pros and Cons
  • "The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area."
  • "All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities."

What is our primary use case?

Snyk acts as an SCA and also as a SAST. It's like a mix and match.

Our deployment is more of a hybrid deployment. It is 70% cloud and 30% on-prem. The majority of Snyk is a cloud-based solution, but we do have instances where we have it on-prem for various reasons.

What is most valuable?

The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area. In the development phase, there are lots of dependencies from one module to another, and if it has to be a manual fix, it takes forever for developers to fix it. We do utilize both functionalities. Sometimes, I get the developers to look at the issues and get them manually fixed, and sometimes, based on the criticality and severity of the finding, I just approve the PR, and Snyk automatically fixes it. I don't need to worry about the dependencies.

What needs improvement?

All such tools should definitely improve the signatures in their database. Snyk is pretty new to the industry. They have a pretty good knowledge base, but Veracode is on top because Veracode has been in this business for a pretty long time. They do have a pretty large database of all the findings, and the way that the correlation engine works is superb. Snyk is also pretty good, but it is not as good as Veracode in terms of maintaining a large space of all the historical data of vulnerabilities.

For how long have I used the solution?

I have been using this solution for about two years. 

What do I think about the scalability of the solution?

It is easily scalable, and it is pretty easy to integrate and manage. However, the tuning is what requires a lot of attention. Snyk, Veracode, Netsparker, or any other similar solution definitely needs somebody to tune it to work properly. Tuning is a little bit tricky, but that's the nature of such solutions.

How are customer service and support?

I had to work with them initially during the integration phase. Their support was okay. It was not that good, but it was also not that bad. There is room for improvement because the support works based on the categories of requests. Along with the categories, if they have an option for the sensitivity or the urgency of issues, it would be really helpful for users.

How was the initial setup?

It was pretty easy. 

What's my experience with pricing, setup cost, and licensing?

It is pretty expensive. It is not a cheap product.

What other advice do I have?

I would rate it a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Cloud Security Engineer at a manufacturing company with 10,001+ employees
Real User
Easily integrated for scanning and analysis
Pros and Cons
  • "There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best."
  • "Basically the licensing costs are a little bit expensive."

What is our primary use case?

Snyk is a code analysis tool. It is a vulnerability finding tool. We use it for those purposes. We use this tool to detect issues particular to users.

Snyk is configured on our local ID environment. So our team and many other teams use it to do a scan before they deploy anything in the production.

What is most valuable?

There are many valuable features. For example, the way the scanning feature works. The integration is cool because I can integrate it and I don't need to wait until the CACD, I can plug it in to our local ID, and there I can do the scanning. That is the part I like best.

What needs improvement?

Feature wise, I like it so far. Maybe a little bit early to call, but feature wise, I'm okay with it. It may be a little bit expensive, but otherwise, it is a good tool.

I don't have any complaints. Thankfully, I had help in the decision-making and the initial integration. After that, the actual development and ops teams are using it. So if they are facing issues or they have any concerns, I'm not sure about that.

Basically the licensing costs are a little bit expensive.

For how long have I used the solution?

I have been using Snyk for a year.

What do I think about the stability of the solution?

It is a stable solution.

What do I think about the scalability of the solution?

In our organization I would say more than 50 and less than a hundred are regularly using Snyk.

How are customer service and support?

Tech support is good. They are reliable and available. Some of the teams are using Snyk and they are not complaining about support. The support is better and they are available whenever we need. We can reach out to them for help.

How was the initial setup?

The initial setup was neither complex nor easy, I would say it was okay.

It took a few weeks.

What about the implementation team?

A few people helped us with the initial setup.

Our experience with them was that they're really good.

Which other solutions did I evaluate?

Snyk is a security analysis tool. We have other tools, some dynamic security analytics tools, and other tools set up, and we wanted to compare which one we should use. We have Contrast, Coverity, and Snyk, and now we are planning to keep one. That was the main reason I had downloaded the code from your site and from many other sites. In the end we are planning to keep Snyk.

What other advice do I have?

Snyk is good. I like to use it. I like to use Snyk over Contrast.

On a scale of one to ten, I would give Snyk an eight.

There is no complaint here. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
ZvikaRonen - PeerSpot reviewer
Chief Technology Officer at FOSSAware
Real User
Top 5Leaderboard
Useful software composition analysis, highly scalable, and good support
Pros and Cons
  • "The most valuable feature of Snyk is the software composition analysis."
  • "The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improve"

What is our primary use case?

Snyk is used to manage open-source risks in security and licenses.

What is most valuable?

The most valuable feature of Snyk is the software composition analysis.

What needs improvement?

The reporting mechanism of Snyk could improve. The reporting mechanism is available only on the higher level of license. Adjusting the policy of the current setup of recording this report is something that can improve. For instance, if you have a certain license, you receive a rating, and the rating of this license remains the same for any use case. No matter if you are using it internally or using it externally, you cannot make the adjustment to your use case. It will always alert as a risky license. The areas of licenses in the reporting and adjustments can be improved.

Having bolting scans into a single solution can be useful, maybe snippet capabilities of reading the actual scan rather than reading the manifest can be very useful.

For how long have I used the solution?

I have been using Snyk for several years.

What do I think about the stability of the solution?

The stability of Snyk is good.

What do I think about the scalability of the solution?

Snyk is highly scalable. The only thing running on the customer side is a command-line interface(CLI). The entire results are been presented on a software as a service-based platform. It doesn't matter if I'm running 10 or 10,000 systems. It's scalable because Snyk has a supportive system, which is not the customer's system, it's Snyk's system.

How are customer service and support?

I have not used the support from Snyk. However,  customers are sharing their experiences, and they have said the support is good.

How was the initial setup?

The initial setup of Snyk needs their assistance and support. It's not a Windows application that you click next, but it's not rocket science. The implementation typically takes a few days to complete.

What about the implementation team?

The company that purchases Snyk typically does the implementation. There are only a few people needed for the deployment of the solution.

What was our ROI?

Snyk allows developers and development managers to identify open-source vulnerabilities in every stage. As a result, the fix is much cheaper than identifying something on production. It's up to 100 times less expensive. If you fix a few bugs at an early stage, you cover all the license fees for the annual subscription of Snyk. There is a high return on investment potential.

What's my experience with pricing, setup cost, and licensing?

The license model is based on the number of contributing developers. Snyk is expensive, for a startup company will most likely use the community edition, while larger companies will buy the licensed version. The price of Snyk is more than other SLA tools.

What other advice do I have?

I rate Snyk an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Security Solutions Architect at a tech services company with 51-200 employees
Reseller
Developer-friendly and easy to setup

What is our primary use case?

I am a reseller. We provide solutions for our customers.

What is most valuable?

It's a good product. I haven't seen any weakness.

Snyk is a developer-friendly product.

What needs improvement?

Compatibility with other products would be great.

How are customer service and technical support?

I have not contacted technical support.

Which solution did I use previously and why did I switch?

Previously, I was working with Micro Focus Fortify.

How was the initial setup?

The initial setup is easy.

Which other solutions did I evaluate?

We have also evaluated Prisma Cloud by Palo Alto.

What other advice do I have?

We tried to partner up with Snyk, but we were not successful in gaining a partnership. We are not authorized Snyk resellers.

I would rate Snyk an eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer:
Buyer's Guide
Download our free Snyk Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2022
Buyer's Guide
Download our free Snyk Report and get advice and tips from experienced pros sharing their opinions.