Fixing the fundamental security flaws inherent in systems and networks will rely significantly on ensuring implementation of secure, bug-free code.

This is the basic premise behind Snyk Ltd. and its developer security platform. The company provides solutions to secure proprietary code, open-source dependencies, container images and cloud infrastructure from a single unified platform. Rather than creating an application and throwing it over the wall with a prayer that it is truly secure, developers can leverage Snyk’s cloud-based platform to find and fix vulnerabilities, from the first line of code to when it is running jobs in the enterprise.

“You can make that whole continuum something that a developer can automate and make it part of the work that they do,” said Manoj Nair (pictured), chief product officer of Snyk. “A company like us was created to enable that developer security. Here’s an opportunity to just do it right and do it continuously. That’s really the shift that we think we’re right in the middle of.”

Nair spoke with theCUBE industry analyst Dave Vellante at the Supercloud 3: Security, AI and the Supercloud event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how Snyk supports developers in building secure code and leveraging generative AI.

Deep dependency problem

The notion of continuous security in code development has become more important as organizations increasingly rely on open-source code to run business critical applications.

“You think about most code today, 70% to 90% of code, based on different research that we have seen, is open-source code,” Nair said. “It’s a very deep dependency problem, because it’s not just the open source you are using, it’s what the other open-source developers that you’re using use.”

Snyk’s focus on cross-platform solutions is designed to help developers when using infrastructure as code to manage and provision compute infrastructure.

“There’s a way to check whether you’re using something like Terraform that is platform independent or you’re using platform dependent versions of infrastructure as code,” Nair said. “All this can be done pre-deploy, and so your post-deploy verification becomes a verification step rather than you’re finding those issues post-deploy. You don’t have to rethink the entire security posture based on which cloud you are [on].”

The rise of generative artificial intelligence has seen a concurrent acceleration in the use of automation tools for coding. This could open the door toward a sharp escalation in vulnerabilities if pre-trained AI models have not kept pace with a fast-moving threat environment.

“Every day there’s a new zero-day … if you have a model that’s pretrained, it needs to catch up with that evolving landscape,” Nair said. “What we’re seeing is that something that is essentially making an inference of what code should look like based on pre-training on potentially insecure code doesn’t necessarily generate secure code at the end. I’ve got customers who tell me the code generative solutions are improving productivity 40% to 45%, but what if it’s creating security vulnerabilities at 50% to 70%? Now all you’re doing is creating these issues faster.”

Security in the stack

The solution is to make sure that embedded technologies can catch these issues right where the code is being created not after the fact, according to Nair. Snyk’s platform is powered by DeepCode AI, which uses multiple AI models and is trained on security-specific data to secure applications at the code-writing level.

“It does one thing and one thing well,” Nair said. “It understands code and it uses layers of AI, hybrid AI we call it, symbolic machine learning and large language models to find issues real time and fix issues as you’re writing code. By empowering the developers with responsible use of AI technologies and really marrying it with responsible use of AI security technologies, it makes it much easier for you to build-in security into the stack rather than just bolting it on after the fact.”

Snyk’s approach is focused on building security directly into the stack and simplifying the process of securing compute infrastructure. That starts with developers, according to Nair.

“What we are giving them is security context right where they are to make better choices,” Nair said. “Security really is also getting built into that platform stack. Then everyone consumes that stack so that’s the way to handle this from becoming layers of complexity.”

In recent months, Snyk has been on a dual track of releasing enhancements to its developer security platform and obtaining new funding. In June, the company unveiled developer application security posture management, following previous announcement of a strategic investment of $25 million from ServiceNow Inc.

“We’re saying that we do one thing and one thing only,” Nair said. “That’s securing code; [it] doesn’t matter how it was generated, human or AI, and now you’re able to do this enhancement of productivity. That opportunity is where we see a big push now.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Supercloud 3: Security, AI and the Supercloud event:

Photo: SiliconANGLE