Enso Application Security Posture Management

The most recent client had experience with other products that did not have some features Snyk  provides, such as Fortify in the old version before OpenText  acquisition. They gave feedback about the precision in discovering vulnerabilities. They found that Snyk  can provide more insights about vulnerabilities than older applications in SAST  and SCA .

We have integration with GitHub Actions  to analyze the code and we use a double check in the pipeline. Our strategy is about shift left. The developers connect with Snyk, Git , and use this with the pipeline.

They evolved their maturity because they could find the vulnerabilities before the pipeline runs. They can find and correct these vulnerabilities in a step before the pushes and PRs to GitHub . They think it is a very positive feature.

I appreciate the UI. It is simple, fast, and I value the precision in the tests. The responses are positive.

Regarding the vulnerability database and AI, we have good experience with that. I cannot compare with other providers or vendors such as Veracode , Checkmarx, and others. All the tests are positive in my analysis.

Technically, we have better vulnerabilities detection in Checkmarx and Veracode . Both of them are more precise about vulnerabilities detection. Snyk is slightly less effective, but this is something they can improve on in the future.

We have been using the solution for one and a half years. Not much time.

We did not need support during the proof of concept.

The documentation is good. It is one of the reasons we did not need support. We could understand the implementation of the product and other features without the need for human interaction.

Positive

I made a proof of concept for a client with Checkmarx for about one month. I provided them a review about my experience. Now they are analyzing my results and considerations about other products too. I do not know if they already have a response about which product they will buy.

Snyk is less expensive.

It is simpler than other vendors. We have some difficulties with other license models. They are more complex and involve an acquisition of more products such as Synopsys and Checkmarx used a complex license model. Snyk has a license model simpler than most of the other vendors.

It was one of my three recommendations for my client. I am satisfied with the product. I rate Snyk 8.5 out of 10.

Hybrid Cloud

Other

The best feature of Snyk  is the integration with our ticketing system, which is Jira . That integration was one we were specifically looking for. The deep integration with our IDE  and repository is another valuable feature. In terms of deploying these features, it's seamless.

Snyk  should improve the scanning capabilities for other languages. For example, Veracode  is strong with different languages such as Java, C#, and others. However, Snyk performs better at mobile source code scanning compared to Veracode . If both capabilities were combined, that would be exceptional.

As we are moving toward GenAI, we expect Snyk to leverage AI features to improve code scanning findings. One key feature we are currently examining with Veracode is AIVSS (Artificial Intelligence VSS), which is an extension of CVSS to cover use cases or top 10 LLM findings during code scanning. Since this is relatively new, we expect upcoming features to cover AI scoring. We have AI projects currently deploying in our organization, and we want to cover not only normal CVSS but also receive an AI assessment score. Both Veracode and Snyk should implement this new scoring system for CVSS and AIVSS.

We are a customer of Snyk, not a partner.

We have contacted Snyk's technical support regarding several issues, and they have resolved them successfully.

Snyk's technical support deserves a rating of seven or eight out of ten. Their response time aligns with their SLA commitments.

Positive

My previous company continues to use Snyk.

The initial setup of Snyk was straightforward.

We discussed pricing with their account manager and secured a favorable deal. Initially, we planned to subscribe through AWS Marketplace  at standard rates. After negotiations, we received a special package with a good price point. We signed a two-year contract, and they provided special links for subscription. The payment structure operates on a monthly prepaid basis.

While Snyk may not be the absolute best option in the market, it offers the most seamless experience currently available. Based on their price point and features, it's both affordable and fair considering the license package offered.

During our implementation, we conducted a pilot test with Snyk for approximately two weeks during our UAT session. We spent an additional two to three weeks obtaining management approvals for production repository access. The testing was performed on development repositories before moving to production. While the actual implementation took about a week, the complete process duration was extended due to internal organizational approval processes.

I rate Snyk 8 out of 10.

Public Cloud

Amazon Web Services  (AWS )

I use Snyk  in the DevOps pipeline to identify vulnerabilities before deploying the application. It integrates with Jenkins .

Snyk  provides a lot of information on vulnerabilities, the packages being used, and their dependencies. It gives good insight into the security of those packages. Snyk helps detect vulnerabilities before code moves to production, allowing for integration with DevOps and providing a shift-left advantage by identifying and fixing bugs before deployment.

There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vulnerability detection or to address the issues I mentioned.

I've been working with Snyk for almost two years now.

Stability-wise, it is okay. I've not seen any issues with stability.

Scalability meets my needs. I would rate it nine out of ten.

I used another tool before Snyk but I'm not recalling its name. AppScan  was used in the very early days.

Setup is not a big problem. It's easy. If I had to rate it from one to ten, I'd say nine.

They should do their research and see if it definitely adds value to their DevOps pipeline. Overall, I rate the solution eight out of ten.

On-premises

I lead a code security practice for our organization. We integrated Snyk  into our GitHub , using CLI to automatically scan codebases and identify issues. We are a large organization with three independent entities, consolidating Snyk  across all entities. 

We also provide access through numerous CI/CD tools. Our default implementation mechanism is CLI, but we also use the Web UI for a comprehensive view and recommendations.

For large organizations like ours, cost is a major factor. Snyk is the most cost-effective solution compared to others like Checkmarx. 

We consolidated Snyk across three entities that used different tools. As a result, our organization became one of the largest in implementing Snyk.

The most important feature of Snyk is its cost-effectiveness compared to other solutions such as Checkmarx. It is easy to consolidate Snyk across multiple entities within a large organization. 

Additionally, our integration of Snyk into GitHub  allows us to automatically scan codebases and identify issues, which has improved efficiency.

Snyk has several limitations, including issues with Gradle, NPM , and Xcode, and trouble with AutoPR. It lacks the ability to select branches on its Web UI, forcing users to rely on CLI or CI/CD for that functionality. These limitations were documented in a book that I wrote.

We implemented Snyk starting last year, and it has been in use for around two and a half years.

Snyk allows for scaling across large organizations, accommodating tens of thousands of applications and over 60,000 repositories, making it suitable for wide-scale deployment.

Our organization maintains a good relationship with Snyk's customer support team. Despite potential variations in service quality for smaller organizations, our long-standing association has ensured smooth communication, resulting in favorable support experiences and satisfactory issue resolution.

Positive

Previously, we used Synopsys Coverity and later migrated to Checkmarx and Mend before Snyk. Synopsys Coverity was costly, prompting a switch. Snyk's affordability and consolidating capabilities across the entities led to its adoption.

The initial setup of Snyk is simple and straightforward compared to Synopsys Coverity, which is complex. Checkmarx falls in between, not too complicated or easy, but a reliable option. Snyk's ease of implementation makes it user-friendly.

We have different teams managing aspects like licensing and engagement with the support team. They facilitate setup and maintenance, optimally integrating Snyk into our GitHub and CI/CD processes.

Snyk is recognized as the cheapest option we have evaluated. In comparison to eight or nine other solutions, it ranks among the most affordable, providing cost-effective scalability across organizational units.

In my comparative evaluations, I considered tools like AppScan , Veracode , Checkmarx, Synopsys Coverity, and six to eight other alternatives.

Snyk is optimal for organizations starting or looking for an affordable, effective tool. Despite false positives, it combines SAST , SCA , containers, and IaS in one Web UI. On a scale of one to ten, I rate Snyk at six.

Hybrid Cloud

Other

The main tool today is used to check for security issues in our products. We use it to analyze all the projects, and our security efforts are based partly on this tool.

There are major impacts related to increasing security awareness and managing risks. Snyk  has been an essential tool in that aspect.

The valuable aspect is its security capabilities. The tool finds any major issue, and the code is blocked from being promoted to production until the issue is corrected.

I'm not responsible for the tool. As far as I know, there are no major concerns or features that we lack. We had some issues integrating into our pipeline, however, they were resolved.

We have used Snyk  for approximately one year.

There are no complaints from the security team. There seem to be no major issues of concern.

The security team is responsible for this tool. I don't have more details, however, there are no complaints, so I believe that's okay.

I don't know about the support or customer service details. It's another team's responsibility.

Positive

I don't have experience with other products similar to Snyk.

I wouldn't be able to say what the company's ROI is.

The pricing and setup are not my responsibilities, so I don't know any details.

I have not evaluated any other solutions.

Based on our experience and what I have heard internally, I would recommend Snyk.

I'd rate the solution nine out fo ten.