Snyk unveils AppRisk workbench for ASPM that unifies application development and security

Snyk AppRisk extends the company's ASPM portfolio to improve collaboration among development and security teams in ASPM.

Manoj Nair, Chief Product Officer at Snyk

Developer security provider Snyk has launched Snyk AppRisk, a solution designed to empower application security [AppSec] teams with a comprehensive Application Security Posture Management [ASPM] workbench to govern and scale their security programs.Snyk AppRisk is designed to be able to bring  development and security teams in ASPM together to more effectively collaborate.

Snyk AppRisk is the latest extension of the company’s ASPM portfolio, and comes on the heels of both the acquisition of Israeli-based ASPM pioneer Enso Security and the organic development of its own Insights ASPM solution, both of which took place earlier this year.

“It has been a bit of a journey,” said Manoj Nair, Chief Product Officer at Snyk. “Insights was our organic integration. There are multiple pain points and it is focused on one — figuring out what was the highest risk. That was our first focus on prioritization. AppRisk adds two more fundamental use cases.One is the unknown unknowns. What are developers doing with all the assets that security teams don’t already know. ENSO monitored for these unknown risks. and the ENSO capabilities are being rolled into AppRisk. We stopped selling Enso separately soon after the acquisition, because we don’t do standalones. We integrate them into our platform, rather than treat them like they are an independent company.

The second role is the creation of a Developer First ASM workplace, where Snyk’s role is to empower developers to fix issues rather than to find them later on. Its automation of application asset discovery: continually discovers application assets and classifies them by business context, in order to ensure that security is fully in sync with developers

“Our Developer First ASPM vision lets developers have a workbench,” Nair said. “We believe that the developers have the tooling now. But to make sure the context is right, to determine things like ‘is this a business-critical app’, we needed to bring things over from the security space. So it took us some time to bring together both amazing capabilities to create this workbench. The security capabilities let you manage the application risk with tailored security controls – and that is why we picked the name AppRisk for the solution. It helps the teams by showing what apps are in the pipeline and what their risk is. AppRisk is the first product to bring all that together. It also blends application context with best-in-class security and fix analysis to quantify risk and create an evidence graph, that ensures developer remediation efforts are focused on the issues that pose the biggest risk to the business.

Snyk AppRisk will prove critical for security teams as they tackle new vulnerable code components, because the security is built into the developer pipelines very early in the process.

“In the application security space, these are tools for AppSec testing, although these are usually for compliance and done after the fact,” Nair stated. “Now it is truly built into the developer pipelines before you start coding, or even before that.We are automatically discovering the components and building an application graph, which blends it all together to prioritize. We have 30 plus customers in beta, and the amount of noise they were able to reduce was amazing, and it allowed them to focus on the small percentage, about 6%, that was really dangerous.”

Ultimately, two versions of Snyk AppRisk will ultimately be available. The basic version is AppRisk Essentials, which is focused primarily on Snyk-based developer security tools, and which is available today.

“Most customers on Snyk will get the full workbench capabilities that they need from AppRisk Essentials,” Nair said.

In early 2024, Snyk will additionally launch AppRisk Pro, an offering for enterprise customers to manage and scale their entire developer security programs

“The bigger you get, the more compliance requests you get, and that’s part of what Pro does,” Nair noted. “Pro brings in issues from other tools — open source, partners, and competitors – and allows you to do more policy management, all in one central place. Larger organizations will have the need for something more comprehensive. and Pro  is designed for that market.”

From a channel perspective, Nair said that the big opportunity around Snyk AppRisk is really for bigger system integrators.

“They are now trying to transform how you manage risk in the environment,” he indicated. “Today a CISO’s world is very noisy. We are building the tooling to deal with this and the tooling lets the SI build the entire security landscape in a more strategic way.”