Snyk beefs up DevSecOps by acquiring Application Security Posture Management pioneer Enso Security

In addition to the acquisition of the first company in the ASPM space, Snyk also announced their own ASPM solution, Insights, which reduces the issues customers need to consult to a manageable number.

Manoj Nair, Snyk’s Chief Product Officer

Boston-based developer security Snyk has announced an agreement to acquire Israeli-based Enso Security, which when Enso launched in October 2022 was the first company to design an Application Security Posture Management [ASPM] solution. Enso manages application security at scale using a posture management platform tool common in cloud and SaaS, and applies it specifically to applications. The deal is subject to customary closing conditions and is expected to close in Q2 2023.

Snyk, itself an Israeli-based startup which launched in 2015, is in what Gartner calls the AppSec Testing quadrant.

“We made the DevSec market cool, and there are now hundreds who have jumped in,” said Manoj Nair, Snyk’s Chief Product Officer. “Since we started, compliance and audit created a much larger market. What we do isn’t being done to check mark boxes. Before we were founded, any open source library could be hacked. 70-90% of apps build with open source code. If the library they use is using some other library that uses another library that has been compromised, then they are compromised as well.”

Nair also noted that software supply chain attacks have become mainstream. “Software supply chain is the number one way for penetration, according to Forrester,” he said. “This is because companies take the approach from the wrong angle, and assume some app from outside can come in and catch the problem, but by then it is too late. Very few engineering schools teach curriculum focused on safety and security. They want speed and productivity. Doing both is our innovation. We focus on the developer, and arm them with context to do the right thing.”

While Enso was the pioneer in the ASPM space, Snyk has moved into it themselves.

‘Since Enso launched, ASPM has broadened in terms of the number of use cases,” Nair said. “We had a team building one of the aspects that are part of the ASPM. Companies scan all the places in the pipeline, but there are many in large enterprises, so developers don’t always catch them and they escape into production. Customers helped us with the prioritization of this. Today, we also launched Insights, which brings 100,000 issues down to 10, so that the customer can prioritize. That’s the part of ASPM that we built. It discovers what app security controls they have in place, to discover the known unknowns. Gartner says 40% of enterprise will have an ASPM solution by 2026.”

So how does Enso Security and its ASPM solution extend this capability further?

“They are very complementary to us in that they focus on discovery, the discovery of controls,” Nair stated. “They have over 100 tools in their AppSec marketplace.” They are also based in our old office in Israel which we grew out of.”

While this connection between the two companies existed before the acquisition, Nair said that they looked at everyone in this space when pondering who to buy.

“We have almost 100 companies in our marketplace, and a dozen claim to be ASPM,” he indicated. “We really liked the tech and the people Enso has. The whole team is 30 people, almost all of whom is based in Israel, and they are all coming over. This includes their original leadership,  CEO Roy Erlich, Chief Products Officer Chen Gour Arie, and CTO Barak Tawily, all of whom originally came out of Wix.com, a do-it-yourself SaaS platform for making websites.

“We have done 5-6 acquisitions, including TopCode in 2020, whose DeepCode AI became the foundation of Snyk Code,” Nair said. “It is a data analytics stack based on top of Snowflake, and it fits the patterns of success we  have seen, and which we think applies with Enso.”

Nair said they expect a relatively easy integration with the newly-acquired asset, which will be integrated together with Insights to provide a full developer security platform providing a holistic view of application security posture.

“Just acquiring something doesn’t work well for the customer, because that’s too brittle,” he commented. “We buy companies with which we have done deep integrations, and we have worked a lot on ASPM because customers got us to accelerate it on our platforms. We believe snapping it in will not be a long task.”

While Snyk, like many developer-focused organizations, initially made extensive use of developers to get them to market with their employers, they have ramped up their channel presence as they have gone deeper into the enterprise.

“We started with individual developers using us, but recently while the company has grown 100%, our enterprise business has grown 200%,” Nair said. “We have seen increased pull from enterprise CISO teams, and a lot of that is channel. We work with a lot of big security partners and cloud marketplaces.”

The Enso Security acquisition is part of SnykLaunch June 2023, the company’s quarterly launch event. The new Insights, Snyk’s organic ASPM solution designed  for more effective prioritization of security issues is part of this, as is the new DeepCode AI.

“In the whole realm of noise around Generative AI, when it comes to security of code you need to be very careful, especially with our focus on the software supply chain,” Nair said. “We have had DeepCode AI in beta for 3-4 weeks with 150 customers using it, and it is taking off fast.”

Nair noted there are also some new bells and whistles for Snyk code.

“There are custom rules, without having to become an expert, and also Sneak Learn enhancements, which thousands use for in-context learning. We have partnered with NYU to make Sneak Learn teach security basics at the university, and we don’t charge for this.”