Dynatrace ‘DevSecOps Lifecycle Coverage with Snyk’ eliminates security coverage blind spots

DevSecOps Lifecycle Coverage with Snyk, a new app developed with Dynatrace® AppEngine, enables teams to mitigate security risks across pre-production and production environments, including runtime vulnerability detection, blocking, and remediation.

The number of containers pushed from development into production continues to increase—as does the speed of container deployment. This introduces challenges for security and development teams.

Frequent deployments, rollbacks, feature-flag changes, and progressive delivery make it increasingly complex to understand the security posture of production environments, which increases security risk.

Organizations need to consider which teams are in charge of securing software assets. Both development and security teams require information that spans the software development lifecycle to work efficiently on closing gaps and blindspots in security coverage that could lead to a container reaching production unscanned, or with production vulnerabilities in the form of increased cyber-attack risk.

Many organizations are investing in DevSecOps programs and want to be sure that those programs are effective and that investment is made where it generates the highest impact. Investment in governance and automation of DevSecOps programs has a confirmed ROI.

To mitigate these increased security risks, eliminate organizational silos, control investments, and maintain agility, teams need an automatic approach that alerts them of coverage gaps from development to production to ensure gapless security coverage. Dynatrace provides just such a solution.

Dynatrace pre-deployment security tooling eliminates blind spots

With Runtime Vulnerability Analytics (RVA), Dynatrace customers already receive a prioritized and risk-based assessment of detected vulnerabilities. RVA, in conjunction with Dynatrace OneAgent^®, auto-discovers running containers and their versions, including all vulnerabilities.

By integrating scan information from Snyk Container, Dynatrace now connects pre-deployment security tool information that eliminates blind spots.

Leveraging Dynatrace^® AppEngine, we’ve developed an app called DevSecOps Lifecycle Coverage with Snyk. As you can see below, the app provides a holistic view across the DevSecOps lifecycle. It highlights where containers have slipped into production after bypassing security controls.¹

Container details are provided for both the organizational and the team level, spanning workloads, containers, and services—covering all levels of an organization’s business-critical applications. You can specify exactly what scope you’re interested in to get exactly the information you need.

“Dynatrace’s new DevSecOps Lifecycle Coverage with Snyk app provides an end-to-end understanding of application security, from pre-production to production-runtime environments. Pre-production container scans from Snyk combined with AI-powered application runtime insights and analytics from Dynatrace will enable our teams to pinpoint the location of vulnerabilities in our complex multicloud ecosystem, automatically prioritize these based on the risk of each exposure, and use recommendations to proactively remediate these risks.”
— Luca Domenella, Head of Cloud Operations and DevOps, Soldo

DecSecOps Lifecycle Coverage with Snyk was created as part of a strategic technology alliance with Snyk, a developer security platform. Dynatrace integration with Snyk extends runtime application security into pre-production for functionality like static code and container scanning.

Use runtime insights to drive automation and operationalize application security

Dynatrace Application Security operationalizes security for you with a uniquely innovative approach. Other vendors have tried to integrate vulnerability information into their tools without the runtime observability context to enhance, for example, service tickets. Those approaches fail or are severely limited and ultimately don’t achieve their goal of providing application security in production at runtime. This is because if you don’t know what’s happening at any given point in time, all information and actions are retrospective. This is where Dynatrace is different.

Operationalization can be as simple as automated targeted notifications for teams with context-rich detail and metadata. Of course, you’re not limited to this. You can create your own workflow automations with the Dynatrace platform’s new AutomationEngine, thereby deeply integrating automation with your existing tools. With knowledge of coverage completeness and exposure, you can improve your DevSecOps programs and related areas. For example, you can improve cyber security insurance policies by providing reports and insights into your DevSecOps program’s effectiveness and security control coverage. More importantly, you get a clear risk management process based on the provided insights.

Software Bills of Materials commonly include numerous third-party software libraries and assets. Therefore, organizations need to secure their custom code and be able to easily and reliably check third-party code. With DevSecOps Lifecycle Coverage with Snyk, all software assets are the same, whether they’re scanned, unscanned, vulnerable, or safe.

With the ability to continuously report the state of application security, it’s convenient for security teams to report to their CISOs and board members. Finally, having a real-time view enables you to advance your organization’s security posture across the software lifecycle and target investments with a clear ROI that can be proven, based on improved coverage, fewer vulnerable containers, and the elimination of unscanned containers.

Because we at Dynatrace treat ourselves as customer zero, we rely on the Dynatrace platform to manage our own organizational security posture. We therefore also benefit from enhanced Application Security and DevSecOps Lifecycle Coverage with Snyk. Dynatrace is also a Snyk customer. This means that our development and security teams benefit from targeted notification and actionable information, while we have Dynatrace-wide coverage information continuously provided by DevSecOps Lifecycle Coverage with Snyk.

What’s next?

DevSecOps Lifecycle Coverage with Snyk will be available within 90 days.

With insights into the coverage of your container scans, the next step is for you to try out AutomationEngine and the new Workflows app to build your own automated workflows, which can, for example, generate security tickets and send notifications to Jira, Slack, or your tool of choice.

You can also use the dashboarding and reporting capability of DevSecOps Lifecycle Coverage with Snyk to build reports and distribute them throughout your organization on a regular basis.

Want to get involved?

We will welcome a limited number of customers to a preview program to work with us on finetuning the user experience of DevSecOps lifecycle Coverage with Snyk. If you’re interested in joining, please reach out to your sales contact to see if we have an available slot for you in the preview program.

________________________
¹ _{Security controls refer to methodologies, policies, procedures, and technologies that are implemented to reduce the risk of security breaches, data theft, and other malicious activities.}

² _{Gartner, How to Run Containers and Kubernetes in Production, Arun Chandrasekaran, 1 September 2022. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.}

³ _{Gartner, Cybersecurity Market Insight: Convey Business Outcomes When Marketing Security Solutions. Ayelet Heyman, 11 January 2023.}