Snyk today added an application security posture management (ASPM) platform to its portfolio that promises to bridge the divide between cybersecurity teams and application developers.

Manoj Nair, chief product officer for Snyk, said Snyk AppRisk continuously discovers what applications have been deployed in a cloud computing environment, identifies and prioritizes vulnerability risks, ensures the right controls are in place and surfaces recommendations for fixing them. The relationships between all those elements are then visually presented using graph technology.

Snyk AppRisk is based on a tool for analyzing metadata collected from application development and cybersecurity tools that the company gained with the acquisition of Enso Security and Insights, a tool that makes use of multiple types of artificial intelligence (AI) models to identify, prioritize and fix vulnerabilities.

The goal is to make it simpler for cybersecurity teams to identify the root cause of a cybersecurity issue in ways that provide application developers with the context needed to remediate them, said Nair. That’s critical because application developers typically only have a limited amount of time to devote to remediating vulnerabilities, so cybersecurity teams need to ensure those efforts are being applied to the vulnerabilities that represent the greatest risk to the business, he added.

Rather than simply creating a list of vulnerabilities ranked by a theoretical severity score, cybersecurity teams are able to reduce a level of noise that today is overwhelming application development teams, said Nair. As a provider of tools that developers already rely on to scan their code for vulnerabilities, the code being generated by Snyk AppRisk is going to be presented in a way that is a natural extension of their existing software development lifecycle, he noted.

In general, as cybersecurity teams assume more responsibility for application security, the funding for platforms such as Snyk AppRisk will come from budgets they control, he noted. However, it’s clear application development teams will want to have some influence over the tools and platforms being selected, said Nair.

While there is more focus than ever on securing software supply chains, the amount of code being created that contains vulnerabilities is starting to exponentially increase as developers rely more on generative AI tools such as ChatGPT to write code for them. While some of that code may be better than what many developers might write, ChatGPT is based on a general-purpose large language model (LLM) using code collected from across the web. Much of that code contained vulnerabilities that often find their way into the code being generated by the platform. Cybersecurity teams will need an ASPM platform based on AI models to identify vulnerabilities created by other AI models.

There’s often not a lot of love lost between cybersecurity teams and application developers who typically don’t have a lot of cybersecurity expertise. Most of the issues that cybersecurity teams start with mistakes made by developers that cybersecurity teams then need to convince developers to allocate time to fix. Thanks to the rise of DevSecOps best practices, the overall security of software supply chains is improving, but as the recent Biden administration executive order made clear to all concerned, there is still a long way to go before application security truly improves.