What is our primary use case?
Talking about the current situation in our security posture, we decided to choose a platform which could help us to improve our Security Development Lifecycle process. We needed a product that could help us mitigate some risks related to the security side of open source frameworks, libraries, licenses, and IT configuration. We were interested in a solution that could also utilize Docker images that we are using for the deployment. In general, we were interested in a vulnerability scanner platform for performance scans to deliver and calculate our risks related to code development.
How has it helped my organization?
We have integrated it with our infrastructure, collecting images from there, and performing regular scans. We also integrated it with our back-end in version control systems.
Sometime ago, we deployed a new product based on web technologies. It was a new app for us. From the beginning, we integrated Snyk's code scannings that the product is based on. Before the production deployment, we checked the code base of Snyk, and this saved us from the deployment with the image of the solution where there were some spots of high severity. This saved us from high, critical vulnerabilities which could be exploited in the future, saving us from some risks.
It helps find issues quickly because:
- All the code changes go through the pipeline.
- All new changes will be scanned.
- All the results will be delivered.
This is about the integration. However, if we're talking about local development, developers can easily run Snyk without any difficulties and get results very quickly.
It is one of the most accurate databases on the market, based on multiple open source databases. It has some good correlation and verifications about findings from the Internet. We are very happy on this front.
The solution’s container security feature allows developers to own security for the applications and containers they run in in the cloud. They can mitigate the vulnerabilities in the beginning of the solution's development. We can correlate the vulnerabilities in our base images and fix the base image, which can influence multiple services that we provide.
What is most valuable?
We see that they are continuously working on the Kubernetes security and platform security checking. This is interesting for us, because we are an enterprise customer, and all of these features are made available for us.
It has an accurate database of vulnerabilities with a low amount of false positives.
The container security feature provides good actionable advice for points of integration.
What needs improvement?
The documentation sometimes is not relevant. It does not cover the latest updates, scanning, and configurations. The documentation for some things is wrong and does not cover some configuration scannings for the multiple project settings. For example, sometimes the code base condition is consistent on multiple modules. It's kept on different frameworks and packet managers. This requires Snyk to configure it with a custom configuration from the scan. From this point of view, the documentation is unclear. We will sometimes open enterprise tickets for them to update it and provide us specific things for the deployment and scanning.
There is no feature that scans, duplicates it findings, and puts everything into one thing.
The communication could sometimes be better. During the PoC and onboarding processes, we received different suggestions versus what is documented on the official site. For example, we are using Bitbucket as a GitHub system for our code, especially for Snyk configurations. The official web page provides the way to do this plugin configuration. However, if we talk about doing direct connection with our managers from Snyk, they suggested another way.
For how long have I used the solution?
We have been using this product for five months.
What do I think about the stability of the solution?
The product is sometimes unstable.
What do I think about the scalability of the solution?
There aren't any limitations because we are using it as a SaaS platform. As an enterprise customer, we can create teams and additional projects as well as involve additional people. These things can easily be covered for our entire business.
We currently have 20 developers who use it.
We are planning to increase usage based on the things that Snyk can provide us, like Kubernetes security. I would rate our adoption rate at a seven out of 10.
How are customer service and technical support?
Our enterprise success manager from Snyk has open discussions with us. We have been with Snyk at meetings and webinars with our engineers. Documentation for scanning on the developer side is clear and good. We don't have any concerns from our development team that it is difficult or unclear. Everything is good on this point.
It has poor support sometimes for the Scala language when running scans of the official Docker images from Snyk. Scala is a part of the Java framework. We need to customize it and built our own Snyk images. The platform provide the images, but the execution is too long.
Their customer success management is an eight out of 10, because every enterprise ticket should go to general support initially.
I would rate the first line of support as a six out of 10, but their technical site engineers who help us are an eight out of 10.
Which solution did I use previously and why did I switch?
We did not previously use another solution in this company.
How was the initial setup?
The initial setup was not complex; it was easy for us. I thought the configuration guidelines offer a clear way for integration with registries, where we are hosting our Docker images. It was easy to integrate with Docker platforms for the SoC configuration, which was done in one working day. This was very fast.
The documentation of installation (for the scanner on endpoints for development) was clear. We quickly checked all our inbox code. All of the processes of enrollment were clear and fast.
The initial setup took one month. Our deployment is still going on.
What about the implementation team?
Its enterprise support is a very good feature. This helped us to enforce processes faster.
Our implementation strategy is based on suggestions from the product managers and success managers from Snyk. In general, we are going to collect all of the vulnerabilities and findings as soon as possible to aggregate the results and mitigate the false positives. This is to correlate the results of a licensed check-in and create our own policies for future detections.
For part of the configurations, we needed help from Snyk because sometimes the documentation is wrong. It can also be unstable, so we cannot integrate the scannings with an unknown error. In these cases, we conduct our enterprise support to help out. It does requires us to contact support regularly.
What was our ROI?
It will probably be a year before we see value from the Snyk platform.
Snyk has reduced the amount of time it takes to find problems by 30 to 40 percent.
What's my experience with pricing, setup cost, and licensing?
The price is good. Snyk had a good price compared to the competition, who had higher pricing than them. Also, their licensing and billing are clear.
Which other solutions did I evaluate?
We have multiple language service platforms based on different language scopes. We were interested in a platform which could cover all of the languages that we are using. We are a mobile-first application, so we were interested in the iOS and Android code and having back-end services that could be deployed via different languages. Another aspect was checking Docker images for vulnerabilities, using Gartner investigation and market research, and applying my personal experience in this niche (Security Development Lifecycle).
We had a comparison between several vendors, like Aqua Security, Snyk, and Qualys. In general, Snyk was the only solution that had a Docker scan aspect to it. It also offered us open scan for vulnerabilities. For this reason, we chose Snyk. It covers not only continuous scanning, but also provides the license scanning and open source scanning from the box. While there are lot of open source products on the market who offers this capability, Snyk aggregates all these features in one place.
If I had to go through the process of choosing a platform for our company again, I would chose Snyk.
What other advice do I have?
Check the following before using Snyk:
- Your language frameworks and whether Snyk can cover them.
- The specific packet managers that your are using.
- How Snyk performs with all your platforms, not just the main part. Gauge the difficulty.
Check the solution for all your language specifics. We have had some interesting projects where the default configuration does not work. Before using such products, you should check it in the most complex projects that you have.
Based on all our products, including Snyk, we have seen a 50 percent reduction in the amount of time it takes to fix problems.
The solution allows our developers to spend less time securing applications, increasing their productivity.
The feedback: It's a very interesting solution. It is clear what we are using it for and how we should use it. However, if we are talking about the interest from our developers, then the solution was evaluated as a medium. This is because of its readiness for implementation and adoption process.
I would rate this solution as an eight or nine out of 10.