There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vulnerability detection or to address the issues I mentioned.
Snyk has several limitations, including issues with Gradle, NPM, and Xcode, and trouble with AutoPR. It lacks the ability to select branches on its Web UI, forcing users to rely on CLI or CI/CD for that functionality. These limitations were documented in a book that I wrote.
I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.
I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial. I don't need additional features; just improving the existing ones would be enough.
VP Enterprise Architecture and Solutioning at a financial services firm with 10,001+ employees
Real User
Top 10
2024-03-19T07:44:41Z
Mar 19, 2024
I don't use Snyk anymore. The tool is just used in our company, but not by me anymore. It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.
It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.
Devops & Cloud Architect at Hexaware Technologies Limited
Reseller
Top 5
2023-11-14T09:57:17Z
Nov 14, 2023
I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks. Snyk needs to focus on the area related to dependencies.
Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better reports, including reports for security, technical, and developer level.
They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features. It's very basic right now. For example, you need to make many workarounds to get reports from API RUSH. Improving how the plugin works is the best way to get any partnership with most tools. This way, Snyk could, for example, integrate with the Atlassian Bitbucket pipeline. If the plugins could be improved, I could integrate plugins in a few seconds instead of making many workarounds using API REST.
I can't comment if there are missing features at this time. For the last six to eight months I didn't work with Fugue. I don't have an up-to-date product roadmap to comment on what is or is not available, what they do or do not provide. I would need to review their current roadmap to be able to accurately comment on what is or is not available. Fugue capabilities are not well understood on the market. If there was one thing they could improve, it would be to basically explain in simple terms to market what it is they do. Right now, understanding what they do requires substantial experience and expertise. It wasn't a challenge for me to identify this area, however, I'm the exception. Generally speaking, there is not sufficient understanding in the broad market of what Fugue does. This is the area they need to focus on. The general input I have is that there is an opportunity for them to better align with other similar tools and better align with similar capabilities that cloud suppliers deliver natively. What happens is they extend and augment capabilities that cloud suppliers offer. There is additional integrational and operational benefits that can be realized in how they extend and how they position themselves as compared to what cloud suppliers deliver.
It would be ideal if there was customization with a focus on specific cybersecurity areas or capabilities. Fugue is cybersecurity, an operational monitoring solution, which has a broad set of capabilities. However, one needs to have substantial know-how in the cybersecurity domain to be able to identify and zero in on specific Fugue capabilities that may be relevant to a particular project or workstream pursuit. Being a system integrator, for us, it isn't an issue. For a client that is new to Fugue or relatively new to cybersecurity, it would be quite challenging to zero in on a specific sweet spot or capability.
Snyk's AI Trust Platform empowers developers to innovate securely in AI-driven environments, ensuring rapid and secure software development with enhanced policy governance.Snyk’s platform integrates AI-ready engines across the software development lifecycle, offering broad coverage with high speed and accuracy essential for fast-paced coding environments. AI-driven features include visibility, prioritization, and tailored security policies that enable proactive threat prevention and quick...
There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vulnerability detection or to address the issues I mentioned.
Snyk has several limitations, including issues with Gradle, NPM, and Xcode, and trouble with AutoPR. It lacks the ability to select branches on its Web UI, forcing users to rely on CLI or CI/CD for that functionality. These limitations were documented in a book that I wrote.
I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.
I use Snyk alongside Sonar, and Snyk tends to generate a lot of false positives. Improving the overall report quality and reducing false positives would be beneficial. I don't need additional features; just improving the existing ones would be enough.
I don't use Snyk anymore. The tool is just used in our company, but not by me anymore. It is important that the solution has the ability to match up with the OWASP Top 10 list, especially considering that sometimes, it cannot fix certain issues. Users might face 100 vulnerabilities during the production phase, and they may not be able to fix them all. Different companies have different levels of risk appetite. In a highly regulated industry, users of the product should be able to fix all the vulnerabilities, especially the internal ones. The tool should provide more flexibility and guidance to help us fix the top vulnerabilities before we go into production.
The solution's integration with JFrog Artifactory could be improved.
It would be helpful if we get a recommendation while doing the scan about the necessary things we need to implement after identifying the vulnerabilities. In short, it will be a remediation for the vulnerabilities identified by Snyk.
The product is very expensive.
The tool's initial use is complex.
I think Snyk should add more of a vulnerability protection feature in the tool since it is an area where it lacks. Snyk needs to focus on the area related to dependencies.
Snyk's API and UI features could work better in terms of speed. Additionally, they could optimize and provide better reports, including reports for security, technical, and developer level.
DAST has shortcomings, and Snyk needs to improve and overcome such shortcomings.
They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features. It's very basic right now. For example, you need to make many workarounds to get reports from API RUSH. Improving how the plugin works is the best way to get any partnership with most tools. This way, Snyk could, for example, integrate with the Atlassian Bitbucket pipeline. If the plugins could be improved, I could integrate plugins in a few seconds instead of making many workarounds using API REST.
I can't comment if there are missing features at this time. For the last six to eight months I didn't work with Fugue. I don't have an up-to-date product roadmap to comment on what is or is not available, what they do or do not provide. I would need to review their current roadmap to be able to accurately comment on what is or is not available. Fugue capabilities are not well understood on the market. If there was one thing they could improve, it would be to basically explain in simple terms to market what it is they do. Right now, understanding what they do requires substantial experience and expertise. It wasn't a challenge for me to identify this area, however, I'm the exception. Generally speaking, there is not sufficient understanding in the broad market of what Fugue does. This is the area they need to focus on. The general input I have is that there is an opportunity for them to better align with other similar tools and better align with similar capabilities that cloud suppliers deliver natively. What happens is they extend and augment capabilities that cloud suppliers offer. There is additional integrational and operational benefits that can be realized in how they extend and how they position themselves as compared to what cloud suppliers deliver.
It would be ideal if there was customization with a focus on specific cybersecurity areas or capabilities. Fugue is cybersecurity, an operational monitoring solution, which has a broad set of capabilities. However, one needs to have substantial know-how in the cybersecurity domain to be able to identify and zero in on specific Fugue capabilities that may be relevant to a particular project or workstream pursuit. Being a system integrator, for us, it isn't an issue. For a client that is new to Fugue or relatively new to cybersecurity, it would be quite challenging to zero in on a specific sweet spot or capability.