Enso Application Security Posture Management

We are a customer of Snyk , which is a SaaS solution. We are one of the tenants using Snyk  services but are not doing any enhancement development. We are purely a customer availing Snyk services.

We are also using a separate DAST tool, though I am not aware of the tool name as it is managed by a different team.

We utilize two main capabilities: application vulnerability detection and SCA  capabilities. The primary reason we use Snyk is for SAST , as we want to scan our applications for any security vulnerabilities and address them.

Snyk is finding all the issues we have. It suggests solutions for every vulnerability, and we are getting patches frequently. As someone from an enterprise, I want to share feedback that might help others. There are multiple teams involved in our organization. We have a separate cyber team that works with Snyk and keeps on updating, though I am not fully aware of all the details in that area.

I have not explored from that perspective. Being from an application perspective, I cannot say anything that needs real improvement. I have not explored from that angle. Till now, we did not face any scaling issues and I did not hear of any. I would rate this at 9 because I always keep one number in reserve, as there is always scope for improvement for any tool.

We have been using Snyk for more than a year.

Till now, we did not face any scaling issues and I did not hear of any. I would rate this at 9 because I always keep one number in reserve, as there is always scope for improvement for any tool.

We do not raise issues directly with Snyk. We have a common team that liaises with Snyk. Whenever we have issues, we raise them with the cybersecurity team within our company who supports Snyk, and they in turn interact with Snyk.

Earlier, I used Checkmarx, which is another SAST  tool. By default, any company and any SAST tool like Checkmarx or Snyk provides a plugin.

Snyk is integrated. I have not used it directly, though I may have used it indirectly.

I am from an enterprise and want to share feedback that might help others. There are multiple teams involved in our organization. I am from the application team, so I know the vulnerabilities and how to fix them. However, there is a platform team that takes care of giving permission for Snyk and access levels, which I am not fully aware of. At a high level, we have a Snyk admin team in our company that gives permissions, though I do not know all the details of what they do. I cannot share feedback on the admin area, but I can share that vulnerability-wise, I am happy with what Snyk provides and the solutions it gives.

When Snyk identifies issues, our pull request process will not allow us to merge them in the first place. Snyk helps us by blocking critical issues and vulnerabilities. If someone bypassed the pull request check, we have another check in place before production release where we validate everything and block the code if it violates our standards. Based on Snyk categorization, we block issues from our end while raising a pull request and also before releasing to production.

We need Snyk because we are in the banking industry with thousands of applications. Every day, we deploy code to production, releasing almost every day except weekends, though we sometimes release on weekends for very large deployments. Anything that goes to production should not have any security vulnerabilities. Being in the banking industry and having applications used by end customers, we are dealing with end customer data. No one should steal data in any format, and with authentication, one user cannot see another user's data. Snyk is paramount and extremely important for us. Every application that goes into production must pass Snyk vulnerability scanning before it can be deployed. If you ask whether it is important, it is absolutely critical. I would rate it 10 out of 10.

Internally, whenever a Snyk scan runs, we have created GitHub Actions . Our target state is GitHub Actions  everywhere. When we run the GitHub Actions, it will connect to the latest Snyk scanning through API and automatically gets all open issues, then creates a GitHub  issue. First, our internal tool pulls out all Snyk security issues through the API and creates GitHub  issues. We manually open a GitHub issue and give a command prompt to our AI agent. That prompt internally might work with Snyk autofix capability and gets the fixes correctly and creates a pull request. We review and check in the pull request, which is reviewed by experienced team members. This is the process we follow: create an issue based on a Snyk scan and for every issue, run a prompt so that it creates a pull request automatically with the fixes.

We do use Snyk documentation. We internally do not have many resources because we do not want to duplicate. Snyk guide is purely open and not logged in, so we use it.

Snyk documentation is extremely useful. Vulnerability-wise, I do not go to Snyk documentation frequently because in the current world, with my 25 plus years of experience, I used to fix many things manually before these tools existed. I need to know the intricacies of how to fix code. If you take 10 years back, there were tools and libraries which you could integrate with one or two lines, which solved the problem. With the current AI world, I do not even need that. If I get some issues, I do not even need to go to the Snyk website and read how to fix. I have an AI tool that can fix it if I ask it to. From an engineer's perspective, I still read the documentation. As a person who came from the manual world 25 years back, I still read the fix documentation. The documentation is very good, and being a general one, I understand the SAST world, so I did not find much problem with the documentation.

We are using Snyk, which is a SAST tool. There is a team in our organization who developed some AI agent on top of Snyk capabilities. I do not know exactly how they integrated Snyk, but our organization provides an AI agent which, if we run, automatically fixes issues and raises a pull request. In that case, we are indirectly using Snyk.

My overall rating for Snyk is 10 out of 10.

I typically use Snyk  for checking the security and vulnerabilities in my repositories.

Recently, I have used Snyk  in one of my repositories for security and vulnerability checks, providing comprehensive knowledge about the repository, including what it does and where the security vulnerabilities are located.

I am using Snyk for the first time and did not use any vulnerability scanning solution before this. I was previously doing Red Hat vulnerability scanning locally for dependency checks, which was not what I wanted.

Snyk's main features include open-source vulnerability scanning, code security, container security, infrastructure as code security, risk-based prioritization, development-first integration, continuous monitoring and alerting, automation, and remediation. The best features I appreciate are the vulnerability checking, vulnerability scanning, and code security capabilities, as Snyk scans all open-source dependencies for known vulnerabilities and helps with license compliance for open-source components.

Snyk integrates into IDEs, allowing issues to be caught as they appear in the code dynamically and prioritizes risk while providing remediation advice.

Snyk provides actionable remediation advice on where vulnerabilities can exist and where code security is compromised, automatically scanning everything and providing timely alerts.

Snyk has positively impacted my organization by improving the security posture across all software repositories, resulting in fewer critical vulnerabilities, more confidence in overall product security, and faster security compliance for project clients.

Snyk has helped reduce vulnerabilities significantly. Initially, the repository had 17 to 31 critical and high vulnerabilities, but Snyk has helped manage them down to just five vulnerabilities, which are now lower and not high or critical.

Although Snyk is strong, sometimes it flags vulnerabilities that are not reachable, not exploitable, and not relevant to a project. Better reachability analysis and context-aware scanning could improve this.

Snyk could benefit from a more optimized scanning engine and incremental scan caching.

I have been using Snyk for the previous one year.

I have no issues with Snyk's reliability; it is stable.

Snyk is very scalable and can handle my organization's growth and changing needs, allowing us to scale up to many stages and reduce developer costs, especially when we have fewer developers.

I never reached out to customer support because I never encountered any issues.

I considered SonarQube  in detail before choosing Snyk.

My experience with pricing, setup cost, and licensing is good, as the overall setup experience is smooth with easy onboarding for connection with GitHub  and GitLab . I primarily use it with GitHub , requiring just a few clicks to set up Snyk.

I can see that Snyk saves the costs of hiring security developers for vulnerability scanning and security checks, as that responsibility is now managed by Snyk.

Pricing is good for small teams, with a free tier or low-usage pricing available, and the licensing experience is straightforward but not very flexible.

My advice for others looking into using Snyk is that if you are starting a repository that is free from vulnerabilities and security checks, Snyk is a good option. It automatically provides advice on how to improve for reducing vulnerabilities and security issues, allowing for easy removal of vulnerabilities. You can use it for a free trial, and if it impacts your organization positively, you can consider further usage.

Snyk is a very good product for vulnerability code scanning and can be used effectively. I would rate this product a nine point five out of ten.

The most recent client had experience with other products that did not have some features Snyk  provides, such as Fortify in the old version before OpenText  acquisition. They gave feedback about the precision in discovering vulnerabilities. They found that Snyk  can provide more insights about vulnerabilities than older applications in SAST  and SCA .

We have integration with GitHub Actions  to analyze the code and we use a double check in the pipeline. Our strategy is about shift left. The developers connect with Snyk, Git , and use this with the pipeline.

They evolved their maturity because they could find the vulnerabilities before the pipeline runs. They can find and correct these vulnerabilities in a step before the pushes and PRs to GitHub . They think it is a very positive feature.

I appreciate the UI. It is simple, fast, and I value the precision in the tests. The responses are positive.

Regarding the vulnerability database and AI, we have good experience with that. I cannot compare with other providers or vendors such as Veracode , Checkmarx, and others. All the tests are positive in my analysis.

Technically, we have better vulnerabilities detection in Checkmarx and Veracode . Both of them are more precise about vulnerabilities detection. Snyk is slightly less effective, but this is something they can improve on in the future.

We have been using the solution for one and a half years. Not much time.

We did not need support during the proof of concept.

The documentation is good. It is one of the reasons we did not need support. We could understand the implementation of the product and other features without the need for human interaction.

I made a proof of concept for a client with Checkmarx for about one month. I provided them a review about my experience. Now they are analyzing my results and considerations about other products too. I do not know if they already have a response about which product they will buy.

Snyk is less expensive.

It is simpler than other vendors. We have some difficulties with other license models. They are more complex and involve an acquisition of more products such as Synopsys and Checkmarx used a complex license model. Snyk has a license model simpler than most of the other vendors.

It was one of my three recommendations for my client. I am satisfied with the product. I rate Snyk 8.5 out of 10.

I use Snyk  in the DevOps pipeline to identify vulnerabilities before deploying the application. It integrates with Jenkins .

Snyk  provides a lot of information on vulnerabilities, the packages being used, and their dependencies. It gives good insight into the security of those packages. Snyk helps detect vulnerabilities before code moves to production, allowing for integration with DevOps and providing a shift-left advantage by identifying and fixing bugs before deployment.

There are a lot of false positives that need to be identified and separated. The inclusion of AI to remove false positives would be beneficial. So far, I've not seen any AI features to enhance vulnerability detection or to address the issues I mentioned.

I've been working with Snyk for almost two years now.

Stability-wise, it is okay. I've not seen any issues with stability.

Scalability meets my needs. I would rate it nine out of ten.

I used another tool before Snyk but I'm not recalling its name. AppScan  was used in the very early days.

Setup is not a big problem. It's easy. If I had to rate it from one to ten, I'd say nine.

They should do their research and see if it definitely adds value to their DevOps pipeline. Overall, I rate the solution eight out of ten.