IT Central Station is now PeerSpot: Here's why

Snyk OverviewUNIXBusinessApplication

Snyk is #1 ranked solution in Container Security Solutions, #1 ranked solution in top Software Composition Analysis (SCA) tools, and #3 ranked solution in application security tools. PeerSpot users give Snyk an average rating of 8 out of 10. Snyk is most commonly compared to SonarQube: Snyk vs SonarQube. Snyk is popular among the large enterprise segment, accounting for 64% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 27% of all views.
Snyk Buyer's Guide

Download the Snyk Buyer's Guide including reviews and more. Updated: June 2022

What is Snyk?

Snyk is a user-friendly security solution that enables users to safely develop and use open source code. Users can create automatic scans that allow them to keep a close eye on their code and prevent bad actors from exploiting vulnerabilities. This enables users to find and remove vulnerabilities soon after they appear.

Benefits of Snyk

Some of the benefits of using Snyk include:

  • Conserves resources: Snyk easily integrates with other security solutions and uses their security features to ensure that the work that users are doing is completely secure. These integrations allow them to protect themselves without pulling resources from their continued integration or continued delivery workflows. Resources can be conserved for areas of the greatest need.
  • Highly flexible: Snyk enables users to customize the system’s security automation features to meet their needs. Users can guarantee that the automation performs the functions that are most essential for their current project. Additionally, users are able to maintain platform governance consistency across their system.
  • Keeps users ahead of emerging threats. Snyk employs a database of threats that help it detect and keep track of potential issues. This database is constantly being updated to reflect the changes that take place in the realm of cybersecurity. It also uses machine learning. Users are prepared to deal with new issues as they arise.
  • Automatically scans projects for threats. Snyk’s command-line interface enables users to schedule the solution to run automatic scans of their projects. Time and manpower can be conserved for the areas of greatest need without sacrificing security.

Reviews from Real Users

Snyk is a security platform for developers that stands out among its competitors for a number of reasons. Two major ones are its ability to integrate with other security solutions and important insights that it can enable users to discover. Snyk enables users to combine its already existing security features with those of other solutions to create far more robust and flexible layers of security than what it can supply on its own. It gives users the ability to dig into the security issues that they may experience. Users are given a clear view of the root causes of these problems. This equips them to address the problem and prevent similar issues in the future.

Cameron G., a security software engineer at a tech company, writes, “The most valuable features are their GitLab and JIRA integrations.The GitLab integration lets us pull projects in pretty easily, so that it's pretty minimal for developers to get it set up. Using the JIRA integration, it's also pretty easy to get the information that is generated, as a result of that GitLab integration, back to our teams in a non-intrusive way and in a workflow that we are already using. Snyk is something of a bridge that we use; we get our projects into it and then get the information out of it. Those two integrations are crucial for us to be able to do that pretty simply.”

Sean M., the chief information security officer of a technology vendor, writes, "From the software composition analysis perspective, it first makes sure that we understand what is happening from a third-party perspective for the particular product that we use. This is very difficult when you are building software and incorporating dependencies from other libraries, because those dependencies have dependencies and that chain of dependencies can go pretty deep. There could be a vulnerability in something that is seven layers deep, and it would be very difficult to understand that is even affecting us. Therefore, Snyk provides fantastic visibility to know, "Yes, we have a problem. Here is where it ultimately comes from." It may not be with what we're incorporating, but something much deeper than that."

Snyk Customers

StartApp, Segment, Skyscanner, DigitalOcean, Comic Relief

Snyk Video

Archived Snyk Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Senior Manager, Product & Application Security at a tech services company with 1,001-5,000 employees
Real User
It's easy to find vulnerabilities, create a report, and use the data
Pros and Cons
  • "The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI."
  • "The way Snyk notifies if we have an issue, there are a few options: High vulnerability or medium vulnerability. The problem with that is high vulnerabilities are too broad, because there are too many. If you enable notifications, you get a lot of notifications, When you get many notifications, they become irrelevant because they're not specific. I would prefer to have control over the notifications and somehow decide if I want to get only exploitable vulnerabilities or get a specific score for a vulnerability. Right now, we receive too many high vulnerabilities. If we enable notifications, then we just get a lot of spam message. Therefore, we would like some type of filtering system to be built-in for the system to be more precise."

What is our primary use case?

There are two use cases that we have for our third-party libraries: We use the Snyk CLI to scan our pipeline. Every time our developer is building an application and goes to the building process, we scan all the third-party libraries there. Also, we have a hard gate in our pipeline. E.g., if we see a specific vulnerability with a specific threshold (CDSS score), we can then decide whether we want to allow it or block the deal. We have an integration with GitHub. Every day, Snyk scans our repository. This is a daily scan where we get the results every day from the Snyk scan.  We are scanning Docker images and using those in our pipeline too. It is the same idea as the third-party libraries, but now we have a sub-gate that we are not blocking yet. We scan all the Docker images after the build process to create the images. In the future, we will also create a hard gate for Docker images.

How has it helped my organization?

For the security team, it's easy to find vulnerabilities, create a report, and use the data. Every month, we have metrics. I get a report from the Snyk to see how many repositories we have scanned and how many of those repositories are violating our internal policy based on the CDSS score. I can get trends and see that we have been fixing issues. Based on that, we can then lower the score even further. It's easy to find a repository, scan, and vulnerability details associated with a particular issue using a link it provides to the database. Snyk allows us to spend less time securing applications, increasing their productivity. It adds visibility. In addition, we can get a report and show people that our environment is a bit more secure because we have been fixing the vulnerabilities. It reduces our timing with the automation part and daily scan, which I don't have to worry about since it's always happening. We always have fresh results. Once Snyk is running, you don't have to do much. It's always there running the scans for you. Because we now have visibility, we can create policies. Those policies are across all departments. Each department has to comply with our policies. We tweak the policy every quarter. Therefore, every quarter we try to have less high-risk vulnerabilities. By doing this, our environment is more secure. If at some point tomorrow, there's a huge unknown vulnerability, it's easy for us to go into Snyk and see if we are impacted or not. If we have false positive, it will have a negative impact, especially if we are blocking them and it is a false positive. We really appreciate that we haven't seen any false positive coming from Snyk. The information is very reliable.  The solution has reduced the amount of time it takes to find problems. It adds a lot of visibility. We don't have another tool providing this information. Instead of taking hours, you can find problems in a few minutes with Snyk.

What is most valuable?

The way they are presenting the vulnerabilities after a scan. It's very organized and easy to access. The UI is very organized. I also like that we can use the CLI or commands to run a scan locally or in the pipeline.  The CLI feature is quite useful because it gives us a lot of flexibility in what we want to do. If you use the UI, all the information is there and you can see what Snyk is showing you, but there is nothing else that you can change. However, when you use the CLI, then you can use commands and can get the output or response back from Snyk. You can also take advantage of that output in a different way. For the same reason, we have been using the CLI for the hard gate in the pipeline: Obtain a particular CDSS score for vulnerability. Based on that information, we can then decide if we want to block or allow the build. We have more flexibility if we use the CLI. For the pipeline, we use Jenkins, and for storing images in the build, we use Artifactory with some Jenkins integrations. This is super easy because we are using the CLI, which was one of the features that I really like because it's super flexible. You can do a lot of things with the CLI. It's easy to integrate. Same thing with the GitHub integration, Snyk provides Broker images that allow you to coordinate your internal GitHub repository with the cloud solution from Snyk. It's like a proxy. The UI is super easy to use. I have no issues with the interface.

What needs improvement?

The way Snyk notifies if we have an issue, there are a few options: High vulnerability or medium vulnerability. The problem with that is high vulnerabilities are too broad, because there are too many. If you enable notifications, you get a lot of notifications, When you get many notifications, they become irrelevant because they're not specific. I would prefer to have control over the notifications and somehow decide if I want to get only exploitable vulnerabilities or get a specific score for a vulnerability. Right now, we receive too many high vulnerabilities. If we enable notifications, then we just get a lot of spam message. Therefore, we would like some type of filtering system to be built-in for the system to be more precise. The same thing applies to policies when you go to the dashboard: Everything is red. Because of the nature of our third-party library, most of them have high security issues. However, too many are identified. Snyk needs to provide a way to add some granularity so you can decide what is relevant.
Buyer's Guide
Snyk
June 2022
Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
611,060 professionals have used our research since 2012.

For how long have I used the solution?

A year.

What do I think about the stability of the solution?

So far, it's very stable. We haven't had any issues with the platform. Deployment and maintenance is done by the security team and DevOps.

What do I think about the scalability of the solution?

We are using them all the time and scalability has not been a problem. I am pretty sure they will keep supporting our company with all our daily scans. I don't see any issues with scalability. We do have plans to increase the usage. For just our GitHub repository, we are scanning more than 700 repos. We will probably expand that to 1000 or more repos. Developers go to Snyk only if there is a need regarding a specific vulnerability. Developers do not normally use Snyk. Our security team uses Snyk more often. Snyk tries to put this tool towards developers, but there are not that many developers using this tool compared to the security team. Since we have been adding this CLI to the pipeline and scanning the entire build, most developers have been creating an Snyk account in our organization. Since we are sort of forcing this on them, they need to have access. They have been using it but only if they get a block or need to fix a vulnerability. The account integration is easy for them to request access to and the process is quick. We have 120 users, including the whole security team, the cloud operations team, DevOps, a lot of developers, and user members.

How are customer service and support?

The technical support is really good. They are very quick. They take care of you. If there is an issue, they will try to solve it.

Which solution did I use previously and why did I switch?

Our company did not use anything before Snyk. I have used Nexus IQ in another company.

How was the initial setup?

The initial setup is easy and straightforward. The documentation is very specific with the commands for the CLI. They provide support, if you have any questions. I was always talking with somebody from the Snyk.  We use a sliding configuration between our company and Snyk, so the communication is super easy. Most of the time, they have already documented the issue or how-to. Or, if you have an extra question, they are super quick responding back to you. The deployment for Snyk's hard integration was a week. Building the hard gate and sub-gate took a little bit longer (about a month) just to have everything integrated, but they were not fully dedicated when they did integration. If you really need to do the integration, you can probably do it in a couple of weeks. Implementation strategy: We started with the third-party library solutions from Snyk. Now, we are moving to the container solution.

What was our ROI?

We have not seen ROI yet.

What's my experience with pricing, setup cost, and licensing?

You can get a good deal with Snyk for pricing. It's a little expensive, but it is worth it.

Which other solutions did I evaluate?

Snyk's vulnerability database is pretty accurate. I have used other tools in the past and they were not that accurate or specific. Sometimes, I was not sure if something was a false positive or not. However, Snyk is very strong on this sense. I haven't seen any false positives.

What other advice do I have?

If we find an issue, then we talk to our developers who have a specific amount of days to fix the vulnerability. However, we are not fully using all the features that Snyk provides. While I know they could make a suggestion or do automation to fix issues, we are not using those features. Snyk has really nice features. They take into consideration what customers are telling or suggesting to them. It's a very good product. I would rate it a nine (out of 10).
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Security Analyst at a tech vendor with 201-500 employees
Real User
It reports on all the vulnerabilities present in all our different packages
Pros and Cons
  • "Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there."
  • "Scalability has some issues because we have a lot of code and its use is mandatory. Therefore, it can be slow at times, especially because there are a lot of projects and reporting. Some UI improvements could help with this."

What is our primary use case?

We are using Snyk for two main reasons: 

  1. Licensing. For every open source package that we're using, we have licensing attributions and requirements. We are using Snyk to track all of that and make sure we're using the licenses for different open source packages that we have in a compliant fashion. This is just to make sure the licensed user is correct. 
  2. Vulnerabilities. Snyk will report on all the vulnerabilities present in all our different packages. This is also something we'll use to change a package, ask the desk to fix the vulnerability, or even just block a release if they are trying to publish code with too many vulnerabilities.

I am using the latest SaaS version.

How has it helped my organization?

Our whole process of deploying code uses Snyk either as a gateway or just to report on different build entities. 

The solution's ability to help developers find and fix vulnerabilities quickly is a great help, depending on how you implement it at your company. The more you empower your developers to fix their stuff, the less policies you will have to implement. It's a really nice feeling and just a paradigm shift. In our company, we had to create the habit of being proactive and fixing your own stuff. Once the solution starts going, it eases a lot of management on the security team side.

Snyk's actionable advice about container vulnerabilities is good. For the Container tool, they'll provide a recommendation about what you can do to fix your Docker, such as change to a slimmer version of the base image. A lot of stuff is coming out for this tool. It's good and getting better.

The solution’s Container security feature allows developers to own security for the applications and the containers they run in in the cloud. That is its aim. Since we are letting the developers do all these things, they are owning the security more. As long as the habit is there to keep your stuff up-to-date, Snyk won't have any effect on productivity. However, it will have a lot of effect on security team management. We put some guardrails on what cannot be deployed. After that, we don't have to check as much as we used to because the team will just update their stuff and try to aim for lower severities.

Our overall security has improved. We are running fewer severities and vulnerabilities in our packages. We fixed a lot of the vulnerabilities that we didn't know were there. Some of them were however hard to exploit, mitigating the risks for us, e.g., being on a firewalled server or unreachable application code. Though I don't recall finding something where we said, "This is really bad. We need to fix it ASAP."

What is most valuable?

I find many of the features valuable: 

  • The capacity for your DevOps workers to easily see the vulnerabilities which are impacting the code that they are writing. This is a big plus. 
  • It has a lot of integration that you can use even from an IDE perspective and up to the deployment. It's nice to get a snapshot of what's wrong with the build, more than it is just broken and you don't know why. 
  • It has a few nice features for us to manage the tool, e.g., it can be integrated. There are some nice integrations with containers. It was just announced that they have a partnership with Docker, and this is also nice. 

The baseline features like this are nice. 

It is easy to use as a developer. There are integrations that will directly scan your code from your IDE. You can also use a CLI. I can just write one command, then it will just scan your old project and tell you where you have problems. We also managed to integrate it into our build pipeline so it can easily be integrated using the CLI or API directly, if you have some more custom use cases. The modularity of it is really easy to use.

Their API is well-documented. It's not too bad to integrate and for creating some custom use cases. It is getting extended going forward, so it's getting easier to use. If we have issues, we can contact them and they'll see if they can change some stuff around. It is doing well.

Most of the solution's vulnerability database is really accurate and up-to-date. It has a large database. We do have some missing licenses issues, especially with non-SPDX compliant one, but we expect this to be fixed soon. However, on the development side, I rarely have had any issues with it. It's pretty granular and you can see each package that you're using along with specific versions. They also provide some nice upgrade paths. If you want to fix some vulnerabilities, they can provide a minor or major patch where you can fix a few of them.

What needs improvement?

• More visibility on the package lifecycle because we are scanning our application at different point (DevOps, Security, QA, Pipeline, Production Env) and all those steps get mixed together in the UI. Therefore, it's hard to see the lifecycle of your package.

• Docker base image support was missing (Distroless) but support is increasing.

• UI taking some time to load. We have a lot of projects in the tool.

Snyk is responsive and they work to fix the pain points we have.

For how long have I used the solution?

For two years.

What do I think about the stability of the solution?

The stability is good. I don't recall ever having issues with the application being unreachable or down.

What do I think about the scalability of the solution?

Scalability has some issues because we have a lot of code and its use is mandatory. Therefore, it can be slow at times, especially because there are a lot of projects and reporting. Some UI improvements could help with this. 

From a scan time perspective, everything is pretty fast.

All our developers and the security team use it. There are probably around 100 people using it whose roles are mainly developers, along with a few security analysts and architects.

How are customer service and technical support?

We have good communication with Snyk. They make us feel like a valued customer and provide us with a Customer Success Manager and training for our teams.

I haven't contacted technical support. One of my teammates did contact them and was pleased with the results. 

Which solution did I use previously and why did I switch?

We were previously using another vendor for vulnerability management. We decided to use Snyk in parallel to handle licence reporting. One issue that we had with our previous vendor was that we were promised features that were never delivered. It also had some quirks that weren't fitting our needs. Since we already had Snyk, and it could do vulnerability reporting, we decided to keep Snyk for the two use cases.

How was the initial setup?

I wasn't part of the initial setup. It was done by another team. From what I heard, it wasn't too much of a hassle to set up. Though, my team hasn't been 100 percent satisfied with how it was set up by us, as we could do so much more with the tool..

What was our ROI?

We have seen ROI from a security perspective.

The solution has reduced the amount of time it takes to find and fix problems, especially to fix them. Without Snyk, we had no visibility on open source package vulnerabilities. We started from not seeing anything to fixing them. Since we had to wait for an incident or fortuitous discovery before, it has been a good improvement.

What other advice do I have?

At first, we were using it only for scanning the images that were getting sent to production. Then, we added the entire workload running on our clusters. This increased our vulnerabilities because there were duplicates, but also gave more visibility.

The more you put into learning the tool, the better results you will get. Even if it's easy to use, you do need to create the habit of using it with your DevOps. Once it's integrated, it will be a lot easier. You'll see quickly the issues that you can fix when you're writing your code and don't have to wait until the end of QA to be denied.

I don't see anything Snyk can report as a false positive because the vulnerability database is there and the vulnerable code in the package. It just depends on how you invoke the code. Unless they start scanning the code, they cannot know. From that perspective, false positives are pretty low, almost non-existent.

Our developers are spending more time working on Snyk issues than before, mainly because they were not aware of things that they needed to fix. The process is easy to fix something, so it neither increases nor decreases our developer productivity.

It does require a bit of time, especially when creating the habit of using the tool, but the investment is worth it. It enables developers to own security. If you can get the developers to own security, you are reducing a lot of weight off of your security team. Then, you don't need to have such a big security team because the solution offloads a lot of work.

Get the developers on your side. We managed to make it mandatory, but this won't happen everywhere. If a developer takes a solution to heart in a project and really wants to use it, it'll go well. Otherwise, if you keep fighting against them, then it will be a hassle.

If Snyk offered a SAST/DAST solution, we would be interested in testing it out. We have good experience with the platform and we could consolidate our efforts with them. We are not super satisfied with our current SAST implementation.

What I want for the future is to get more proactive adoption instead of adopting because it is mandatory. Adoption will grow, especially if Snyk have other features coming in. We enjoy the product.

I would rate the solution as a 9 (out of 10).

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Snyk
June 2022
Learn what your peers think about Snyk. Get advice and tips from experienced pros sharing their opinions. Updated: June 2022.
611,060 professionals have used our research since 2012.
Sr. Security Engineer at a tech vendor with 201-500 employees
Real User
Container security allows developers to own security for the applications and containers they run in the cloud
Pros and Cons
  • "The most valuable features include enriched information around the vulnerabilities for better triaging, in terms of the vulnerability layer origin and vulnerability tree."
  • "We've also had technical issues with blocking newly introduced vulnerabilities in PRs and that was creating a lot of extra work for developers in trying to close and reopen the PR to get rid of some areas. We ended up having to disable that feature altogether because it wasn't really working for us and it was actually slowing down developer velocity."

What is our primary use case?

We enable Snyk on all of our repos to do continuous scanning for open-source dependency, vulnerabilities, and for license compliance. We also do some infrastructure and code scanning for Kubernetes and our Docker containers.

Snyk integrates with GitHub which lets us monitor all private and public repositories in our organization and it enables developers to easily find and fix up source dependency vulnerabilities, container-image vulnerabilities, and ensures licenses are compliant with our company policies.

How has it helped my organization?

It's given us more insight in terms of what our risk is to open-source dependencies and helps us reduce the quantity of open-source dependency vulnerabilities that we have within our code base.

Snyk has absolutely reduced the amount of time it takes to find problems, with its automated PR. The challenge, initially, was that there were a lot of false positives with the previous product that we had. We had to eliminate the noise ratio. Snyk is accurately detecting the vulnerabilities and pinpointing the sources of where they exist. In terms of discovery and accuracy, it has reduced the time involved by 50 percent.

It's also giving our developers informed insights to take action on where vulnerabilities are introduced into the code. Depending on how you define "productivity" you could say it's reducing their productivity because it's showing that they have issues with their code and that they have to go back and fix it. It might not necessarily be increasing productivity, but in the sense of not incurring tech or security debt, it's improving those aspects. Overall, that should lead to an improvement in productivity.

What is most valuable?

The most valuable features include 

  • detection 
  • the reporting aspect where we can get an overall glance at vulnerabilities across all of our organizational repos 
  • the enriched information around the vulnerabilities for better triaging, in terms of the vulnerability layer origin and vulnerability tree.

Its actionable advice about container vulnerabilities is good. The container security feature definitely allows developers to own security for the applications and the containers they run in the cloud. They have the ability to go in and review the vulnerabilities and to remediate as needed. Currently, it's only scanning. We're not doing any type of blocking. We're putting more of the onus on the developers and owners to go and fix the vulnerabilities. They're bound to internal SLAs.

The solution’s vulnerability database is very comprehensive and accurate. One thing we were looking at is the Exploit Maturity, which is a relatively new feature. We haven't really gotten back to tune that, but it is something we were looking at so we can know the exploit maturity, based on these vulnerabilities. That is super-valuable in understanding what our true risk is, based on the severity. If something is out in the wild and actively being exploited, that definitely bumps the priority in terms of what we're trying to remediate. So it helps with risk-prioritization based on the Exploit Maturity.

What needs improvement?

There is room for improvement in the licensing-compliance aspect. There have been some improvements with it, but we create severities based on the license type and, in some cases, there might be an exception. For example, if we actually own the license for something, we'd want to be able to allow based on that. That specific license type might exist in different repos, but it could be that in a specific repo we might own the license for it, in which case we wouldn't be able to say this one is accepted. That would be an area of improvement for legal, specifically.

We've also had technical issues with blocking newly introduced vulnerabilities in PRs and that was creating a lot of extra work for developers in trying to close and reopen the PR to get rid of some areas. We ended up having to disable that feature altogether because it wasn't really working for us and it was actually slowing down developer velocity. To be honest, that's where it's at today. We haven't been using it much in that way, to block anything. We work in a non-blocking fashion and we give the ownership to the developers. And then we monitor and alert based on what we have and what we've discovered.

For how long have I used the solution?

We have been using Snyk for about a year.

What do I think about the stability of the solution?

I haven't noticed any stability issues.

There have definitely some been some software flaws, bugs, of course, but that just comes with the nature of software in general. But the customer support team has been very responsive when we actually need something. They've been reaching out to us, they've gotten engineers on the calls to talk through our problems. It's been good enough in that way.

What do I think about the scalability of the solution?

It's scalable.

Which solution did I use previously and why did I switch?

We previously used a solution called Black Duck and the reason we switched was because there were a lot of false positives. There was a lot of noise and it wasn't useful to developers.

As my organization's security program continued to mature, our team was looking for ways to effectively build a more secure product. One area of risk we wanted to address was the use of open-source software. Although open-source software has many benefits, it includes vulnerabilities that, if not managed properly, could expose us to potential breaches. To address this risk, we purchased Snyk.

Snyk's extensive vulnerability database helps us stay on top of those occurrences as they surface. In addition, we use Snyk to help ensure compliance with open-source security policies. We replaced Black Duck with Snyk as a more developer-friendly solution to help us govern our security and license compliance as well as to reduce false positive findings.

How was the initial setup?

The initial setup was pretty straightforward. You just sign up for an account and then you work with the sales engineers, the technical engineers, to enable it across your organization. Then you just import all the repos you want to start scanning on and that's pretty much it. Out-of-the-box it works.

The deployment took a day or two days. It wasn't very intensive. The main thing was the internal process of getting buy-in from leadership and getting things put into place.

In terms of our deployment strategy, we ran it against the master branch of select repositories. We picked a handful of repos that we wanted to start scanning against. We disabled tests on pull requests temporarily and we enabled SSO so people could log in via Okta to start reviewing reports. Everybody had access to it in R&D. Everybody then had the ability to start opening Snyk pull requests for vulnerabilities that were discovered. Then we established how we would treat the information coming from Snyk, including SLAs tied to the severity, etc.

We told people to expect that Snyk would be enabled on the master branches of all our repositories and that it continuously scans the dependency files such as the package.json, requirements.txt, Gemfile.lock, etc., on a scheduled basis. If new vulnerabilities are discovered, we told them findings would be generated and could be viewed on a new dashboard and developers could customize their notification settings in Snyk's console. For each pull request we test for new vulnerabilities.

The rollout plan was working with two squads per month to begin the implementation. The security team would embed with them to understand how they were using the tool and learn about their process — if things weren't working, or were working and they liked it. We would gradually roll it out to the next squad and the next squad. We have 600 engineers here, so we didn't want to just flip the switch and turn it on all at once. We worked with teams individually to understand their workflows, and to see if they disliked it or liked it.

We were also tuning the SLAs for remediation for vulnerabilities. We didn't want to be too aggressive in what we were asking from the developers around the SLA for remediation. And because we were putting the SLAs in place, we were blocking other product-feature work that was coming down the pipeline. We're also an Agile development shop. Customer security usually comes after, so we were dealing with those trade-offs.

We had a few bumps along the way with enabling newly introduced vulnerabilities on an open PR. We pulled back on the entire project and just left it running. The security team really hasn't had a chance to go back and tune it.

Developer adoption of the solution has been low in our company. Management isn't really enforcing the use of the tool yet. There have been more pressing issues. So the low adoption is more more the result of an internal process than it is because of actual value from the product. They do find a lot of value with it when they start using it properly. Overall, we've had positive feedback from developers.

What was our ROI?

The time-to-value of Snyk is still still a work-in-progress in our company.

What other advice do I have?

I would advise that there be communication within the organization about how the tool is going to be used, what it's going to be used for, and for establishing and communicating a rollout plan. The steps that I listed previously about our rollout plan were well received and followed. With larger organizations, that's probably the best path forward: limiting the number of people using the tool, up front, to work out workflows, and then gradually rolling it out to the wider audience until you get full coverage.

We understood that the full implementation of Snyk into the development and operations lifecycle introduced a change. We also understood that fixing all the existing vulnerabilities immediately would not be a viable strategy. So we started with a partial implementation to gain insight from developers on the preferred ways of working, which would help us manage business priorities and roadmap initiatives. From there, we established a policy on how we retreat information coming from Snyk, including SLAs tied to the severity of findings. 

After that, depending on the size of your organization, the suggestion would be to work with select teams. For us, it was two teams per month, focusing on the process of remediating existing vulnerabilities until we worked with all teams across the organization. 

In addition, Snyk offered free onsite training if requested, so take advantage of that.

Everything that the product promises it will do, it's been doing that for us. It's good. It's serving its purpose. We have definitely had some technical issues with it. We really haven't had a lot of time to spend with it and to focus on tuning it since we procured the solution, and to actively get it into our development pipeline. But from what it promises, I would rate it at eight out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Information Security Engineer at a financial services firm with 1,001-5,000 employees
Real User
Saves time and increases developer productivity, but we struggle a bit due to a lack of documentation
Pros and Cons
  • "Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet."
  • "They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer."

What is our primary use case?

We are using Snyk to find the vulnerabilities inside dependencies. It is one of the best tool in the market for this. 

How has it helped my organization?

It is pretty easy and straightforward to use because integration won't take more than 15 minutes to be honest. After that, developers don't have to do anything. Snyk automatically monitors their projects. All they need to do is wait and see if any vulnerabilities have been reported, and if yes, how to fix those vulnerability. 

So far, Snyk has given us really good results because it is fully automated. We don't have to scan projects every time to find vulnerabilities, as it already stores the dependencies that we are using. It monitors 24/7 to find out if there are any issues that have been reported out on the Internet.

Whenever Snyk reports to us about a vulnerability, it always reports to us the whole issue in detail:

  • What is the issue.
  • What is the fix.
  • What version we should use.

E.g., if upgrading to a new version may break an application, developers can easily understand the references and details that we receive from Snyk regarding what could break if we upgrade the version.

The solution allows our developers to spend less time securing applications, increasing their productivity. As soon as there is a fix available, developers don't have to look into what was affected. They can easily upgrade their dependencies using Snyk's recommendation. After that, all they need is to test their application to determine if the new upgrade is breaking their application. Therefore, they are completely relaxed on the security side. 

Snyk is playing a big role in our security tooling. There were a couple of breaches in the past, which used vulnerability dependencies. If they had been using Snyk and had visibility into what vulnerabilities they had in their dependencies, they could have easily patched it and saved themselves from their breaches.

So far, we have really good feedback from our developers. They enjoy using it. When they receive a notification that they have a vulnerability in their project, they find that they like using Snyk as they have a very easy way to fix an issue. They don't have to spend time on the issue and can also fix it. This is the first time I have seen in my career that developers like a security tool.

I'm the only person who is currently maintaining everything for Snyk. We don't need more resources to maintain Snyk or work full-time on it. The solution has Slack integration, which is a good feature. We have a public channel where we are reporting all our vulnerabilities. This provides visibility for our developers. They can see vulnerabilities in their projects and fix them on their own without the help of security.

What is most valuable?

Snyk integrations and notifications with Slack are the most valuable feature because they are really handy. By monitoring dependencies, if there is a vulnerability reported, Snyk will fire off a Slack message to us. With that Slack message, we can create a request just from the notifications which we receive on Slack. It's like having visibility in a general channel and also flexibility to fix that issue with a few clicks.

The solution’s vulnerability database is always accurate since the chances of getting a false positive is very rare. It only reports the vulnerabilities which have already been reported publicly.

The solution’s Container security feature allows developers to own security for the applications and the containers they run in in the cloud. Without using Snyk, developers might be not aware if they are creating a vulnerability in their Docker images. While using Snyk, they have at least a layer of protection where they can be notified by a Snyk if there is a vulnerability in the Docker images or communities.

What needs improvement?

If the Snyk had a SAST or DAST solution, then we could have easily gone with just one vendor rather than buying more tools from other vendors. It would save us time, not having to maintain relationships with other vendors. We would just need to manage with one vendor. From a profitability standpoint, we will always choose the vendor who gives us multiple services. Though, we went ahead with Snyk because it was a strong tool.

Snyk needs to support more languages. It's not supporting all our languages, e.g., Sift packages for our iOS applications. They don't support that but are working to build it for us. They are also missing some plugins for IDEs, which is the application that we are using for developers to code.

There are a couple of feature request that I have asked from Snyk. For example, I would like Snyk to create a Jira ticket from Slack notifications. We already have Snyk creating a pull request from Slack notifications, so I asked if we could create a Jira ticket as well so we can track the vulnerability.

For how long have I used the solution?

I started working with at my company eight months ago and Snyk was already in place. As for my own experience, I was using this solution before I joined the company, so I was familiar with the tool and how it works.

What do I think about the stability of the solution?

They were a couple of issues which happened because Snyk lacked some documentation on the integration side. Snyk is lacking a lot of documentation, and I would like to see them improve this. This is where we struggle a bit. For example, if something breaks, we can't figure out how to fix that issue. It may be a very simple thing, but because we don't have the proper documentation around an issue, it takes us a bit longer.

What do I think about the scalability of the solution?

So far, we have onboarded all our developers to Snyk, and it's still running fine. However, they could improve it. For example, if I create a bulk request for more than 15 or 20 vulnerabilities, then it takes a bit longer than it should in terms of time.

Including security, the total developers that we have on Snyk is almost 50 at this time. We are pushing more to the developers and would like to have 200 developers in the coming month or two.

How are customer service and technical support?

The people with whom I'm connected are really good. If I have issues, they will quickly jump on a call and I will start troubleshooting with them over the call. The people with whom I'm talking are very technical.

Which solution did I use previously and why did I switch?

Before using Snyk, we didn't have visibility into how many dependencies we were using or importing into our projects. Snyk gives us how many third-party libraries we are using and what version they are running on. Also, it let us know if there are any vulnerabilities in those libraries when we are writing our code. Because of the potential impact, we have to ensure that there aren't any vulnerabilities in these libraries (since we have no visibility) when we are importing. 

How was the initial setup?

The initial setup was straightforward. Onboarding projects didn't take me too long. It was pretty straightforward and easy to integrate with event/packet cloud and import all our projects from there. Then, it was easy to generate the organizational ID and API key, then add it to the Snyk plug-in that we are using in our build pipeline.

Snyk was already onboard when I joined. Deployment of my 23 projects took me an hour. 

What was our ROI?

The solution has reduced the amount of time it takes to find problems by three or four hours per day. 

The solution has reduced the amount of time by at least two to three hours a day to fix problems because the documentation which we receive is very helpful. This also depends on a couple of factors, such as, how big a project or library is.

Developer productivity has increased a lot. Considering all the projects about security vulnerabilities, we are saving at least six to seven hours a day.

What other advice do I have?

It saves a lot of my time and the developers' time. Also, because everything is super simple and straightforward in one place, it is really convenient for the security team to keep an eye on vulnerabilities in their projects.

Having this type of tool for a security team is really helpful. In my previous role, we didn't have this type of tool for our team. We struggled a lot with how we could enhance our visibility or see our projects: what dependencies they were using and if we could monitor those dependencies for any vulnerabilities. Without the tool, we could be attacked by some random vulnerability which we were not even aware of. Thus, I strongly recommend having this type of tool for a security team.

This is integrated with our CI/CD.

For Containers, we are still not fully rolled out and working around it. 

I would rate this solution as a seven (out of 10).

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Manager, Information Security Architecture at a consultancy with 5,001-10,000 employees
Real User
Reduced the amount of active vulnerabilities in our applications
Pros and Cons
  • "It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now."
  • "There are some new features that we would like to see added, e.g., more visibility into library usage for the code. Something along the lines where it's doing the identification of where vulnerabilities are used, etc. This would cause them to stand out in the market as a much different platform."

What is our primary use case?

It is a source composition analysis tool that we use to perform vulnerability scanning for those vulnerabilities within open source libraries.

This is a SaaS solution.

How has it helped my organization?

It has improved our vulnerability rating and reduced our vulnerabilities through the tool during the time that we've had it. It's definitely made us more aware, as we have removed scoping for existing vulnerabilities and platforms since we rolled it out up until now.

We were aware of problems that were there, but we weren't looking for them until we had Snyk. It is definitely showing us things that we should have been concerned about, and we have found a lot of value in resolving those things since we've discovered them.

It's reduced the amount of active vulnerabilities in our applications, providing both a more stable and secure environment for us in the libraries that we develop. It has highlighted a number of things we weren't aware of in our applications and the reduction of those is definitely a benefit and value-add to our applications.

What is most valuable?

The general source composition analysis is the key to the piece. That is the feature to check our open source libraries for vulnerabilities and the primary feature that we use the tool for.

It is extremely easy to use and very simple to catch on for every team that we train on it. We generally have our development teams leverage the tool themselves. It's extremely easy to teach them how to use it and get them to onboard it.

From a speed perspective, we use Git repository. It was very easy to integrate into that platform.

The solution’s ability to help developers find and fix vulnerabilities quickly is very good and convenient. It provides the ability to easily work the platform into our existing repositories and leverage our repository. It also pulls notifications as a means for notifying developers of vulnerabilities within the projects that are developing.

The solution’s vulnerability database is very comprehensive and accurate.

What needs improvement?

There are some new features that we would like to see added, e.g., more visibility into library usage for the code. Something along the lines where it's doing the identification of where vulnerabilities are used, etc. This would cause them to stand out in the market as a much different platform.

For how long have I used the solution?

We have been using Snyk for about a year.

What do I think about the stability of the solution?

It is very stable.

We use existing staff to maintain and operationalize it.

What do I think about the scalability of the solution?

It is extremely easy to scale and hooks into all of our application repositories without any issues. We use the product extensively in the projects that we are currently running. We are using the product at close to 100 percent.

Developer-adoption of the solution has been good. It is one of the better tools in our application security library from an adoption perspective and needs of use. It has the most positive feedback out of all our solutions.

There are probably 50 users who are security/developers and development-focused security professionals.

How are customer service and technical support?

The only technical support that we have received has been through our account team, and it's been fantastic. I haven't actually had to open any tickets or anything using the tool. The only time we've ever needed assistance was to open up a ticket for single sign-on configuration. It was extremely quick. They had a very easy, fast response for how to deliver it.

Which solution did I use previously and why did I switch?

We previously used Black Duck. We switched to Snyk because of its better false positive ratings along with its ease of use, integration, and deployment.

How was the initial setup?

The initial setup was straightforward. It was just extremely easy to integrate into our repositories, get the code scanning working, and add our projects into the application.

The deployment was quick. We had our first application in it within minutes.

Implementation strategy: We hooked up our applications and integrated them into the tool. Then, we started to address vulnerabilities as we saw fit from a risk perspective.

What was our ROI?

We have seen ROI with Snyk. It has showed us a lot of things that we were not privy to before. This has opened our eyes to a lot of very important things, e.g., vulnerabilities.

The solution has reduced the amount of time it takes to fix problems. It has done a great job explaining what the problem is and how to resolve it with remediation. It gives you a lot of details about versioning and such for the library. It is definitely helpful there.

The time-to-value of the solution in our company was almost immediate.

What's my experience with pricing, setup cost, and licensing?

It's inexpensive and easy to license. It comes in standard package sizing, which is straightforward. This information is publicly found on their website.

Which other solutions did I evaluate?

We focused our evaluation specifically on Black Duck and Snyk, plus Veracode as a larger product offering.

The Snyk platform does everything we've expected it to do. It works much better than some of the competitors we looked at during our assessment.

What other advice do I have?

If you're looking for a source composition analysis tool or a tool to monitor your open source security, then it's a fantastic solution.

SAST and DAST are very important functions. We have alternative options for those though. I wouldn't say the solution’s lack of SAST and DAST hurts or affects us. It would be nice if these were a platform or offering that they did have.

We don't use the solution’s Container security feature at the moment, but we are planning on using it.

I would rate this solution as an eight or nine (out of 10).

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Engineering Manager at a comms service provider with 51-200 employees
Real User
Extremely easy to integrate, simple to use and hassle-free
Pros and Cons
  • "What is valuable about Snyk is its simplicity."
  • "Could include other types of security scanning and statistical analysis"

What is our primary use case?

We use the product to scan our code for any vulnerable dependencies we might have. We depend on open source libraries and need to make sure they're secure. If not, we need to highlight the areas and replace them, update them quickly. A secondary, minor use case is to also look at licensing and make sure that we're not using open source licenses we should not be using. Those are our two use cases.

What is most valuable?

What is valuable about Snyk is its simplicity, and that's the main selling point. It's understandably also very cheap because you don't need as much account management resources to manage the relationship with the customer and that's a benefit. I also like that it's self-service, with extremely easy integration. You don't need to speak to anybody to get you off and running and they have loads of integrations with source control and cloud CI systems. They are a relatively new product so they might not have a bigger library than competitors, but it's a good product overall.

They do however have the option to install Snyk on-prem, but it is much more expensive.

What needs improvement?

The product could be improved by including other types of security scanning (e.g. SAST or DAST), which is important. It would also help to include the static analysis specifically to the open-source scanning so we could get an idea of whether a particular library is vulnerable and recognise if we're actually using the vulnerable part of it or not, they do have runtime analysis, but it is a hassle to set up.

It would be the same issue in terms of the inclusion of additional features. I think static analysis is really important. A second additional feature would be to add tags to projects, identifying an important project or assigning a project to a particular team. Custom tags would be helpful.

For how long have I used the solution?

I've been using the product for less than a year. It's an SaaS solution, online, so we're always using the latest version. 

What do I think about the stability of the solution?

It's a very stable product, they are clear when a specific feature is in beta.

What do I think about the scalability of the solution?

We have hundreds of source code repositories, and Snyk scans them in minutes (it just looks at package management files to identify the dependency tree), Snyk uses the same infrastructure to scan for all customers on the cloud which gives it lots of scalability opportunities compared to some other vendors where the software is installed on-prem or on a dedicated instance which makes the software pricy and limited (this dedicated instance will be idle most of the time, and the customer needs to pay for it).

How are customer service and technical support?

The technical support is very good. 

What other advice do I have?

Some of our products are deployed on the private cloud behind firewalls, Snyk has tools to carry out security scanning from our private repositories. 

For anyone thinking of using the product, I would suggest using cloud and SaaS providers. Generally, they are easy to work with and there's no hassle of having to talk to salespeople and arrange demos, etc. Self-service SaaS products are a good way to go when it's appropriate.

I would rate this product a nine out of 10.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Snyk Report and get advice and tips from experienced pros sharing their opinions.
Updated: June 2022
Buyer's Guide
Download our free Snyk Report and get advice and tips from experienced pros sharing their opinions.