Advanced Computing in the Age of AI | Tuesday, May 21, 2024

DevSecOps Emerges as a Cash Magnet 

The shift toward front-end application security continues to gain momentum with DevSecOps vendors attracting investors as new security tools are integrated with enterprise application development workflows.

The latest illustration comes from high-flying Snyk Ltd., which announced a $200 million funding round this week led by Addition, a venture capital firm launched last year.

Synk’s cybersecurity platform helps application developers spot vulnerabilities in open source code. Early backers included Alphabet’s GV, the former Google Ventures, and Salesforce Ventures.

The London-based security vendor works with a growing list of cloud infrastructure specialists, including Atlassian, Docker and Red Hat. For example, the company’s tools scan dependencies in public container image registries, detect vulnerabilities and apply fixes to open source code and applications before they enter production.

Synk and other cloud security vendors have focuses on container image registries as a weak link in the cloud-native application development workflow. Aqua Security, the Boston-based infrastructure security specialist, released a similar scanner earlier this year targeting Docker container images and Harbor, an open source container image registry project backed by the Cloud Native Computing Foundation.

Meanwhile, Docker and others are addressing open source vulnerabilities with secure image registries based on production deployments of Kubernetes.

“As the pandemic fuels the dramatic acceleration of digital transformation projects globally, it’s crucial that we continue to provide very busy development teams with security intelligence, automated workflows and visibility that will help mitigate their risks faster and more easily,” Snyk CEO Peter McKay said in announcing the funding round.

The five-year-old DevSecOps startup has so far raised $450 million and claims a valuation of more than $2.6 billion. Snyk currently has 375 employees and expects to hire another 100 over the next year as it ramps up operations.

Surging investor interest in DevSecOps reflects the security vulnerabilities exposed by the enterprise rush to get distributed applications out the door. A recent study commission by Synopsys Inc., (NASDAQ: SNPS), the chip design automation specialist, found that a growing percentage of harried developers knowingly push vulnerable code to production due to time pressures.

Hence, DevSecOps startups like Snyk are expanding their offerings to cover everything from JavaScript to Kubernetes security. For instance, Snyk earlier this week released a plugin designed to help Python developers detect security vulnerabilities in open source dependencies. The tools are intended “to shift security as far left as possible,” or the first lines of code.

These and other approaches reflect the growing integration of DevOps and security, an alternative to relying on separate security teams to report and patch vulnerabilities once applications are pushed to production.

About the author: George Leopold

George Leopold has written about science and technology for more than 30 years, focusing on electronics and aerospace technology. He previously served as executive editor of Electronic Engineering Times. Leopold is the author of "Calculated Risk: The Supersonic Life and Times of Gus Grissom" (Purdue University Press, 2016).