Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG WHITE PAPER

Developer-first Security Enables Security Teams to Scale for the Cloud

DIGITAL TRANSFORMATION:
The CIO Imperative

Empowering Developers to Secure Their Code While Giving Security Control and Visibility to Manage Security Enables Them to Scale

The Multicloud Opportunity for Partners with Dell APEX

By Melinda Marks, ESG Senior Analyst
AUGUST 2022

Executive Summary

With the speed of modern software development, organizations are looking for ways to secure their applications in the cloud without slowing development down. In the first half of 2022, ESG interviewed Snyk customers to learn how they are using Synk’s developer security platform to build security processes into development to effectively scale their security teams so they can support applications in cloud-native environments. These interviews with security and DevSecOps leaders covered their top challenges, the tools they have in place, and they strategies they use to scale their security programs with the faster cycles of modern software development.

Based on these interviews, ESG concludes:

• Security teams are challenged keeping up with the speed of modern software development. As organizations undergo digital transformation and adopt modern application development processes, traditional application security approaches are ineffective with cloud-native technologies and workflows. Developers will reject security solutions that disrupt their processes or create too many alerts. Organizations are seeing a high number of security incidents and serious consequences from code misconfigurations, but when they try to implement testing and tools to catch the problems, they create unmanageable workloads for both developers and security teams responding to security alerts.
• Organizations need security solutions that fit into their modern software development processes to ensure that their application code is tested and secure. Security teams need a way to incorporate security processes into developer workflows while giving security teams the visibility and control they need to ensure that code is tested and secure before the applications are deployed to the cloud. When the application is running, security also needs an efficient way to help developers remediate issues as they are found. For the developers to accept the security tools, they can’t require context switching; the security solutions need to work in the developers’ existing tools and workflows to optimize efficiency and create faster feedback loops across the software development lifecycle (SDLC).
• Snyk is a trusted vendor helping organizations scale security to meet the demands of modern software development. Snyk enables its customers to shift security left to developers, empowering them to secure their own code while giving security the visibility and control they need to manage security risk. Customers who shared their experience described how Snyk enabled developers to efficiently fix coding issues throughout the software development lifecycle. They reported measurable results, including the development of more secure products, more efficient development, fewer security incidents, and time savings for both development and security teams.
As organizations undergo digital transformation for faster development cycles and so they can make their applications available to wider audiences, they are looking for security solutions to shift security left and enable security teams to scale. Whereas many available solutions cater to security teams or utilize traditional security methods, Snyk takes an innovative developer-first approach with a solution designed for developers to efficiently fix security issues in their own tools and workflows and produce higher quality, secure code. At the same time, it gives security teams the visibility and control they need to effectively manage risk.

Modern Software Development Demands a New Security Approach

Organizations are increasingly leveraging cloud services to meet business demands for increased productivity and to make their applications available to their customers, partners, and employees. ESG research shows that 95% of organizations use public cloud services, with more than 4 out of 10 organizations adopting a cloud-first approach for new applications. By using the cloud provider’s state-of-the-art technology and services, organizations can provision infrastructure and develop applications faster, without having to worry about the underlying hardware or maintenance.
This helps them meet increasing pressure to move fast. ESG research shows that 91% of organizations have to move faster than three years ago for their team to deploy applications, infrastructure and services (see Figure 1).
Figure 1. Organizations Under Pressure to Move Fast

When you think of the requirements placed on your organization today compared with three years ago, how much faster, if at all, does your team need to deploy applications, infrastructure, and services? (Percent of respondents, N=359)

Source: ESG, a division of TechTarget, Inc.

Moving to the cloud enables developers to move faster because they gain the flexibility to build and run applications with minimal involvement from other teams. They can leverage infrastructure-as-code (IaC) templates to provision their own infrastructure. They also save time by using open source software (OSS) so they don’t have to build entire applications themselves; they can leverage already established, freely available code and reduce the custom code they need to build for their applications.
They are also using continuous integration and continuous deployment (CI/CD) pipelines to facilitate team collaboration and maximize efficiency throughout the software development lifecycle.

Security Teams Are Challenged Keeping Up

While development can move faster with modern software development processes, security teams, who are typically vastly outnumbered by developers, are increasingly challenged since they are responsible for security and compliance as the speed and volume of software releases increases.
This is additionally challenging since they face a skills shortage in cloud security. ESG research on cybersecurity professionals found that organizations’ top cybersecurity skills gap is in cloud computing security, with 39% of organizations facing a shortage in cloud computing security skills, and 30% facing a shortage in application security skills. This makes it difficult to hire and retain staff, and team members are likely to be overworked (see Figure 2).
Figure 2. The Impact of the Cybersecurity Skills Gap

You indicated that the organization you work for has been impacted by the global cybersecurity skills shortage. What type of impact has the global cybersecurity skills shortage had on your organization? (Percent of respondents, N=282, check all that apply)

Source: ESG, a division of TechTarget, Inc.

A senior cloud security engineer for a multi-state bank with $26 billion in assets said that while the company has 60 people in infosecurity, they only have four people to support their cloud applications. “We have four of us focused on the newer stuff. Our workloads in the cloud are increasing but we’re still struggling to find the staff.”
“Our workloads in the cloud are increasing but we’re still struggling to find the staff.”
-Senior Cloud Security Engineer, multi-state bank
He added that security staff don’t have the skills needed for cloud-native application security. “Their skills are specialized around tools and vendors, and they aren’t interested in newer development processes. They promote tools that are siloed where remediation requires more hassle and has to be done out-of-band.”

Traditional Security Methods Don’t Scale

There is also a cultural shift where security teams recognize that traditional security methods do not apply to cloud-native development. ESG research shows 88% of respondents believe their cybersecurity program needs to evolve to more effectively secure their cloud-native applications.
“Our DevSecOps team is hyperfocused on operating at the speed and interface with DevOps.”

--DevSecOps Engineer, large global fast food corporation

One Snyk customer responsible for DevSecOps for a F1000 fast food corporation described how his team is separate from the company’s larger security team. “Our larger security organization has traditional cybersecurity responsibilities, like compliance, auditing, service side, incident investigation. Our DevSecOps team is hyperfocused on operating at the speed and interface with DevOps,” he said.

Another Snyk customer who is the CISO for a large private university agreed, saying, “You can’t just apply traditional security methods to the cloud. It’s a whole different paradigm.”

Most organizations struggle to keep up. ESG research showed that 48% of organizations regularly push vulnerable code to keep up with release deadlines (see Figure 3).

“You can’t just apply traditional security methods to the cloud. It’s a whole different paradigm.”
-CISO, large private university
Figure 3. Companies Increasingly Prefer Pay-as-you-go Payment Models

Assuming the net-cost was the same, which of the following do you believe would be your organization’s preferred payment model for on-premises data center infrastructure? (Percent of respondents)

Source: ESG, a division of TechTarget, Inc.

Traditional application security utilizes scanning and testing to identify and fix security vulnerabilities, ideally before the application is released. For modern software development, trying to use security tools to scan application components and their workloads—including container images, serverless, IaC, OSS components, and custom code components—is difficult to deploy and manage.
“You can’t just run a scan and tell the developer ‘it’s broken. Go fix it.’ You can’t just hand it over the wall.”
-CISO, large private university
ESG research shows most organizations use multiple, siloed testing tools, and are looking to consolidate. If developers are slowed down by the tools or get frustrated about having too many security alerts, they won’t use them. Developers may use open source security testing tools to help them find and fix issues, but security can’t control or manage their use of tools when they are supporting multiple development teams.
“It was a large effort to get visibility. Working with different teams, different markets, forcing people to integrate by each date.”

--DevSecOps Engineer, large global fast food corporation

This was a major challenge for the global fast food company. They used multiple security tools that required effort from each team to set up and to begin scanning. They needed to set up consistent processes across their brands and companies, which include some of the world’s largest restaurant chains.
The cloud security engineer for the multi-state bank also pointed out that the biggest security challenges are those of scope because the newer technologies make it harder to remediate security issues once applications are running in the cloud. “Issues with ephemeral containers tend to surface as operational challenges instead of security programs,” he said. “It doesn’t facilitate remediation in runtime. It takes more controls and it’s harder to remediate. We need to remediate issues in the beginning, but we can’t do that as fast as generating new vulnerabilities.”
“We need to remediate issues in the beginning, but we can’t do that as fast as generating new vulnerabilities.”
-Cloud Security Engineer, multi-state bank
Scaling Security with a Developer Platform
In order to scale, security needs a way to empower developers to incorporate security into their workflows in a non-disruptive way—with effective prioritization policies and testing procedures that provide visibility and control to manage security risk and meet compliance requirements. They need the control to roll out consistent tools and policies, and they need visibility to track and report on their progress. This shifts security responsibilities left to developers so they can test and secure their own code with less interaction from the security team. It also changes the role of security; Security is laying the groundwork to enable developers to do their own security testing. Security needs to make it easy for developers to use the right easy-to-use tools in their workflows for shorter feedback loops to improve the quality of their code. This fosters a culture of secure development and reduces work and friction across teams.
“We finally have visibility and control, while enabling developers to work efficiently fixing coding issues.”
-SOC Analyst, large private university
Scaling Security with a Developer Platform
“Traditional scanners turn out long reports that don’t make it easy to find out what’s really wrong and act on it.”
-CISO, large private university
For the global fast food corporation, using the Snyk platform has enabled them to incorporate security into development. The DevSecOps engineer said, “We have adopted a DevSecOps approach to enable teams to do security within their applications directly. So it’s not a shared service; It’s more of a partnership between the security organization and the direct development ownership.”

Security at the Developer’s Fingertips

Security vendors may claim to be developer-first, but security solutions are rejected if they are disruptive to processes or create too many alerts. ESG research on modern application development asked respondents about their top challenges with software composition analysis tools.
Figure 4. Top Challenges with Software Composition Tools

If you are currently utilizing open source security tools, what are your organization’s top challenges with its current SCA tools? (Percent of respondents, N=172, three responses accepted)

Source: ESG, a division of TechTarget, Inc.

The same report also showed that most organizations are using multiple application security testing tools, with most using more than 10 tools from more than five vendors.
The Snyk customers described frustration with other security products that weren’t designed for developers or for modern application development. They said that other solutions from security vendors didn’t work for developers; developers don’t want to have to use separate security tools that are not integrated into their DevOps processes. They also don’t want multiple siloed tools that each issue alerts that require them to determine what needs to be fixed, or to take the time to figure out how to fix the coding issues.
“What is distinctive about Snyk is they understand the dev persona. Other tools are more geared toward cybersecurity orgs. Snyk fits well into development, while giving cybersecurity what they need—visibility and control.”
-DevSecOps Engineer, large global fast food company
For many organizations, they’ve had challenges shifting security responsibilities left because developers want to focus on their jobs of building software. They don’t want to have to become security experts or spend a high percentage of their time on remediation or rework.
“Another significant issue is cognitive load. We’ve pushed a lot on developers; They are now expected to configure their resources and applications. They don’t know about encryption or other security matters.”
-Cloud Security Engineer, multi-state bank

Instead, they need solutions that work within the tools and workflows that developers are already using, with clear, simple information that can guide them to take the actions needed to efficiently remediate issues that need attention.

The Synk customer from the financial company said he tried using open source tools to avoid the procurement cycle of a vendor solution. While the open source tools were freely available, they didn’t scale well for him to build an effective program across the software development lifecycle. For example, it wasn’t easy to integrate tools in a way to set up policies. So, he looked for a solution that would give him more control to scale his program.

The Snyk Developer Platform

Snyk pioneered developer-first security to empower developers to secure their own code, dependencies, containers, and IaC. It works within developer workflows; They simply connect it to their code repositories to automatically scan for security issues and they can then secure their code in their integrated development environments (IDEs) with guided remediation steps and documentation from Snyk.

Snyk customers described how this builds security into the development processes, helping developers efficiently address security issues and produce high quality, secure code.

When security teams can help developers incorporate security processes into development workflows, it is easier for them to efficiently deliver secure code, instead of running multiple tests on their applications and their many components right before deploying them to the cloud.

“You want security to be at the developer’s fingertips, not a feedback cycle that is really long.”
-DevSecOps Engineer, large global fast food company
“You want security to be at the developer’s fingertips, not a feedback cycle that is really long,” said the DevSecOps engineer for the large fast food corporation. “We’re talking about making an application with a security frame of mind. If I’m a developer, I can write my code and handle the issues from the code. Security is built from the ground up.”
“Snyk helps you catch things early instead of having to completely rebuild at the last minute. Developers feel better about doing security. They are excited about it instead of worried about causing something bad.”
-SOC Analyst, large private university

The SOC analyst for the large private university said, “Snyk helps you catch things early instead of having to completely rebuild at the last minute. Developers feel better about doing security. They are excited about it instead of worried about causing something bad.”

The CISO of the university added, “Do you want to find out that something’s broken at 11pm the night before you’re going to take it to change control, hoping that it can deploy two days later, and then miss your window or work until 4am to fix something? Or do you want to find it when you’re building it, when it’s shifted left?”

The Benefits of Developer-First Security

The Snyk customers described noticeable differences in the pipelines where Synk is deployed because the developers are able to work more efficiently, delivering secure, higher quality code when they deploy their applications.

The Snyk platform delivers information directly to the developers within IDEs so they can make needed code changes within their normal workflows. Customers described how this increases efficiency for developers, while turning out higher quality code, reducing the number of security issues deployed to production.

Benefits include:
• Faster, more efficient development.
• Integrations with developer tools.
• Fewer exploited applications.
“Organizations will always have more developers than they will have security, always more code, moving at lightning speed. Without Snyk, you will always be far behind.”
-DevSecOps Engineer, large global fast food company
• Elimination of last-minute fire drills to fix a list of vulnerabilities before a release.
• Reduced work for both security and development teams.
• Clear remediation steps and documentation.
• Ability for smaller security teams to support development teams.

For all of the customers ESG interviewed, Snyk has reduced the number of security issues and attacks, reducing work for the security teams.

“The integrations and documentation make it easy for developers to push a simple fix,” said the SOC analyst for the large private university. “Simple fixes that would have been otherwise difficult to find have significantly lowered the number of web attacks on known exploitable vulnerabilities.

“The integrations and documentation make it easy for developers to push a simple fix. Simple fixes that would have been otherwise difficult to find have significantly lowered the number of web attacks on known exploitable vulnerabilities.”
-SOC Analyst, large private university

The Bigger Truth

Cloud-native application development requires a new security approach that enables security teams to scale. While organizations have been trying to decentralize security and shift security responsibilities left to developers, many solutions are rejected if they do not work within developer workflows, or if they do not provide security with the control and visibility to scale their programs.
Snyk has pioneered an effective developer-first approach that enables security teams to help developers build secure processes into development. This modern approach empowers developers to build, test, and deliver secure, high-quality code that meets functional, performance, and security requirements, from design through build to test and deployment, while security gains the visibility and control they need to scale their teams to support the speed and velocity of cloud-native development.
Customers report measurable benefits, including increased efficiency across teams and fewer security incidents.

This ESG White Paper was commissioned by Snyk and is distributed under license from TechTarget, Inc.

All product names, logos, brands, and trademarks are the property of their respective owners. Information contained in this publication has been obtained by sources TechTarget, Inc. considers to be reliable but is not warranted by TechTarget, Inc. This publication may contain opinions of TechTarget, Inc., which are subject to change. This publication may include forecasts, projections, and other predictive statements that represent TechTarget, Inc.’s assumptions and expectations in light of currently available information. These forecasts are based on industry trends and involve variables and uncertainties. Consequently, TechTarget, Inc. makes no warranty as to the accuracy of specific forecasts, projections or predictive statements contained herein.

This publication is copyrighted by TechTarget, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of TechTarget, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact Client Relations at cr@esg-global.com.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.