What is our primary use case?
Snyk is a security software offering. It helps us identify vulnerabilities or potential weaknesses in the third-party software that we use at our company.
The solution is meant to give you visibility into open source licensing issues, which you may not necessarily be aware off, such as the way you ingest libraries into your application code for third-party dependencies. There is visibility into anything that could be potentially exploited.
It provides good reporting and monitoring tools which enable me to keep track of the vulnerabilities found now and/or discovered in the future. It is pretty proactive about telling me what/when something might need mitigation.
Their strength is really about empowering a very heterogeneous software environment, which is very developer-focused and where developers can easily get feedback. If you integrate their offering into the software development life cycle (SDLC), you can get pretty good coverage from a consumer perspective into the libraries that you're using.
It's a good suite of tools tailored and focused towards developers. It ensures their code is safe in regards to their usage of third-party libraries, e.g., libraries not owned or controlled, then incorporated into the product from open sources.
How has it helped my organization?
It is meant to be a less intrusive type of solution. It is easy to integrate and doesn't require a lot of effort. It's more a part of the CI/CD pipelines, which doesn't necessarily interfere with developers other than if there are actions/remediations to be taken. From a development impact, it's very lightweight and minimal.
It is not noticeable for most engineers since it's part of the pipeline. If no new findings are reported, then it goes through without any signals or noise. If there were findings, these are usually legitimate findings and can be configured in such a way that they can be blocked/stopped in your pipelines or be more informational. The user has all the knobs and screws to turn and tweak it towards their use case because there may be areas where security is more critical than in other parts of the company, like development projects.
We exclusively use their SDE tools. Our CI/CD environments are powered by source code control systems like GitLab and GitHub. BitPocket has also been integrated to some extent. There are CI/CD pipelines where we pull in Snyk as part of the pipeline, jobs, Jenkins environment, etc.
What is most valuable?
It is a fairly developer-focused product. There are pretty good support and help pages which come with the developer tools, like plugins and modules, which integrate seamlessly into continuous integration, continuous deployment pipelines. E.g., as you build your software, you may update your dependencies along with it. Packages that it supports include CI/CD toolchains, build tools, various platforms, and software/programming languages.
It is one of the best product out there to help developers find and fix vulnerabilities quickly. When we talk about the third-party software vulnerability piece and potentially security issues, it takes the load off the user or developer. They even provide automitigation strategies and an auto-fix feature, which seem to have been adopted pretty well.
Their focus is really towards developer-friendly integrations, like plug and play. They understand the ecosystem. They listen to developers. It has been a good experience so far with them.
What needs improvement?
There were some feature requests that we have sent their way in the context of specific needs on containers, like container support and scanning support.
There are some more language-specific behaviors on their toolchains that we'd like to see some improvements on. The support is more established on some than others. There are some parts that could be fixed around the auto-fix and automitigation tool. They don't always work based on the language used.
I would like them to mature the tech. I am involved with Java and Gradle, and in this context, there are some opportunities to make the tools more robust.
The reporting could be more responsive when working with the tools. I would like to see reports sliced and diced into different dimensions. The reporting also doesn't always fully report.
Scanning on their site, to some extent, is less reliable than running a quick CLI.
For how long have I used the solution?
We have been engaging with Snyk for close to a year.
What do I think about the stability of the solution?
I have not encountered any instabilities at this point.
We have seen cases where tools didn't find or recognize certain dependencies. These are known issues, to some extent, due to the complexity in the language or stack that you using. There are some certain circumstances where the tool isn't actually finding what it's supposed to be finding, then it could be misleading.
As a SaaS offering, it's been fairly stable.
We have an on-prem type of broker setup, which seems to be a fairly stable. I'm not aware of any particular outages with it.
What do I think about the scalability of the solution?
We have no concerns regarding scalability. We operate at scale. Their approach is pretty lightweight for integrating tools locally.
We are not fully rolled out across the company; parts of the company are using it more than others. There are some best practices that we still have to establish across our development teams so it feels consistent across our scalable processes.
How are customer service and technical support?
I would gauge the technical support as pretty good from our interactions. We are in a licensed partnership, so the response and support that we're getting is part of our license. For quick resolutions, we have standing channels, like Slack, where we can easily get a hold of somebody who can jump in and provide some feedback. The ticketing support system is for medium to long-term requests. It's been pretty good in terms of responsiveness and their ability to support in a very reasonable time frame. Responding in less than a few hours is common in regards surfacing issues and obtaining proactive support with someone who can chime in and provide potential resolution strategies.
The product is tailored towards developers. It has a good implementation and support team who provide quick resolution on support issues. Their support listens to feedback. We engage with them, and they listen to developers' needs. They have also been pretty good in terms of turning things around. Even though we hadn't done a major request with them, they're very supportive, open, and transparent in terms of what makes sense and is reasonable, like shared priorities and roadmaps.
How was the initial setup?
We have been struggling a bit with the GitLab setup, but that's more of a custom solution problem.
What's my experience with pricing, setup cost, and licensing?
Their licensing model is fairly robust and scalable for our needs. I believe we have reached a reasonable agreement on the licensing to enable hundreds of developers to participate in this product offering. The solution is very tailored towards developers and its licensing model works well for us.
What other advice do I have?
It addresses a lot of needs, especially in growing organizations. The more developers, the more heterogeneous your environment will look, as well as needing more tools to help you scale security practices. In this regard, it seems to be a very promising, scalable solution.
We have been utilizing the solution’s container security feature. It is not at full scale, though. We are engaging Snyk on container integrations.
I would rate it an eight (out of 10).