We use some legacy and some new languages as we are aiming for serverless solutions. We're using serverless as is and with Python. We import it to Snyk to do SAST scanning for every one of our repositories on the Bitbucket pipeline. At least 350 repositories, including libraries and some automation such as robots or scripts. We have a huge background in using this tool.

We have seen an improvement this month. My security team told me, "We need to break your pipeline if the tools present critical and high-end security issues on the code, so this code cannot go to a staging or homologation environment." I then made improvements to the tools, which were not cheap. But it's a standard feature and a customer need, so I do this, then we apply. Using Snyk, we get the results and the reports and deploy the applications with high-end critical issues of security such as DoS or Cross-Site scripting, any kind of present, on the Snyk IO solution.

I find SCA to be valuable. It can read your libraries, your license and bring the best way to resolve your problem in the best scenario. Snyk was built for SCA initially, so it's the main goal of the solution so far. But SCA only loses the battle with Black Duck from Synopsys.

They need to improve the Snyk plugins and make it easier to make your optimizations based on your own needs or features. It's very basic right now. For example, you need to make many workarounds to get reports from API RUSH. Improving how the plugin works is the best way to get any partnership with most tools. This way, Snyk could, for example, integrate with the Atlassian Bitbucket pipeline. If the plugins could be improved, I could integrate plugins in a few seconds instead of making many workarounds using API REST.

We have been using Snyk for two years in a row now. It scans all of our applications on the site. It's mandatory for all of our applications to be scanned on this tool.

I have never faced downtime for maintenance or any kind of trouble in the two years I've used the tool. I rate the stability a nine-point five out of ten because we sometimes face delays.

I rate Snyk's scalability a ten out of ten. Snyk is a huge platform. You don't have limits on the number of repositories you can import. You only have a limitation on the number of scans, but that depends on your license. We have 50 users using Snyk in my company. Snyk's usage in the bank I work for has been elastic. Last year we had 75 users, but we needed to fire a few while others left for other jobs. If we start to grow again, I will ask for a bigger license, and we can work with a huge pool. My target is to work with 100 licenses.

I contact customer support at least once a month, not because we are facing issues, but to give technical reports as a customer. When we bought the solution, we asked the sales team about the technical support provided to engineers. Snyk has a monthly feedback meeting to see if the tool works well and if you have any issues or needs. Every month I have at least one call with my account manager and the solution engineer to discuss the solution. I can speak directly to the engineer if I've found some improvement. He takes notes and then proceeds internally. If I face some bugs, I can send a mail, and they'll always respond within two days because of the time zone, and always with a link or a descriptive solution for the issue or bug I'm facing. Snyk customer support is one of the best I have contacted.

Positive

Apart from Snyk, I have used Veracode. We switched because we faced a bug on Veracode using Atlassian Jira. I tried to figure it out with the support for at least four months in a row, and they didn't find it. I did my own tests and found that Veracode doesn't support the Brazilian keyboard, and my keyboard is entirely Brazilian-encoded. We have some special characters in our vocabulary that Veracode can't read, which breaks the platform plugin. I needed to make a workaround to upload my tickets. I tried asking them to improve and apply the solution to our language, but they said they didn't have a roadmap and suggested I work in English. I didn't want to take the risk of rewriting Jira in English just because of one tool, so I looked for other solutions on the market at the time. Snyk was listed as a visionary in Gartner, so we contacted them, and they made an offer, and we were given the enterprise edition for free for three months. We decided to make a POC using the enterprise solution for three months.

In the end, Snyk brought more results and connectivity with Jira and Atlassian for a lot cheaper.

I brought Snyk into the bank I work with. I held the technical interview, made a POC, and the initial commits and imports on the tool.

The initial setup's difficulty depends on whether you use it on CI/CD, but I rate it eight out of ten. The initial setup is not very hard, especially if you use the Snyk IO on the cloud platform. It is just point-and-click. If you are using it on your customizations, on your CI/CD, the rating drops to six out of ten because you need to understand very well what you need on your CI/CD staging to apply Snyk as the correct tool for that demand.

It took at least about 30 seconds to deploy Snyk on the platform. The authorization to break the pipeline takes at least 15 seconds.

The steps taken for deploying Snyk differ for each kind of solution and application we have here, but they follow the same recipe. First, we perform a SaTScan, to look for a hardcoded password or access key, then perform a unit test to see if the solution passes and then install. We check to see, "Oh, you have these kinds of issues." We might have high, critical, lower, or information issues. After that, we deploy the solution on the deployment environment, then repeat the same steps in staging the environment. After this, we make the build for the production site or environment.

I handled Snyk's deployment by myself.

I have seen a 70% ROI from Snyk. The other 15% is my company's fault. If you don't have your development team engaged to reduce all kinds of issues to zero, you are wasting some of your money. In the past, some squads didn't use the platform at all even though they had access, which is a waste of money because we could use the free solution instead. Some other squads engaged with calls trying to bring the number of issues down to zero. They worked so hard on the platform and got so deep into the documentation that they brought huge results.

For example, some of our projects had 25 critical and 100 high-level issues. My development team brought it down to 0 criticals and reduced 75% of the high-level issues by only using the tools on Snyk without asking me any questions, only looking at the platform and reading the solution on their own to find out what could be done to fix the problem.

I saw an ROI for some of my squads. For others, I only saw 20%. Seeing an ROI depends on the scenario in your company.

For what Snyk offers, it has the best cost-benefit I have ever seen because you're buying the license per user. With most similar tools on the market, you buy the application and pay for each application, so you have a limited number of projects you can put inside it. For example, if you have ten applications in your company, you need to buy one application to get these ten projects inside this application. Your application then becomes your organization, and your applications in your organization become your project. It's different on Snyk, where you buy the application for computers.

Every three months, Snyk runs a script on your organization and checks each of your computers and providers of code. They check activity for three months for each license. In my bank, for example, I have 50 licenses. But if one person goes off or is fired, their support is freed up to be used by someone else. The permit is bought per user rather than application, and it's not limited to the number of projects you can import. For example, in the beginning, I made some mistakes, and I imported my entire Bitbucket three times, so my whole Bitbucket has at least 715 projects, but I still wasn't charged for it. I only had to remove each one manually.

You don't have a limitation on repositories to be scanned. You are limited to how much scanning you do based on the plan you're working with. With the free plan, you have 300 scans. With the business plan, you have 1,000 scans, and the enterprise plan is unlimited. You need to understand how much you will use the tool to ensure you buy the correct Snyk license. I rate Snyk's pricing eight out of ten because it is a bit high.

You can use Snyk to develop tech IT, and you can use it anywhere from small sectors and large sectors. For example, if you have IOPS, you can use this as IaC in infrastructure to read files.

Snyk is the best place to start for a SaaS solution because it's cheaper. It's a good start for small FinTech companies that don't have a large budget. It's one of the best places to start for this kind of security scanning application. After a few months, Snyk was bought by Atlassian. Atlassian creates a lot of plugins to, for example, create a pull request for Bitbucket pipelines or Bitbucket cloud to create Jira tickets integrated with Snyk IO. In the last year, they changed the way they connect. We no longer have to use an application password because it's native for the Bitbucket cloud to use a plugin in Atlassian's marketplace. They made a huge improvement in a year and a half. This year I compared Snyk to Veracode and saw that it has huge tools, but it doesn't fit my requirements right now, so I continue using Snyk IO.

The main difference between Snyk and Veracode is the UI. Snyk IO is far more user-friendly and easier to manage your issues, and the SCA solution is much better than Veracode's.

I rate Snyk an eight out of ten.

Positive