Trend Micro has announced a strategic technology partnership with open source security specialist Snyk, enabling Trend Micro to provide new open source vulnerability detection capabilities to DevOps environments, and granting Snyk access to Trend Micro's growing customer base.
Detecting open source vulnerability at source
Trend Micro believes the future of cloud application security is inextricably tied to DevOps. And DevOps teams, like most developers, use a lot of open source code.
According to Snyk, a UK-based startup that specializes in identifying and remediating open source vulnerabilities, open source code is employed in nearly all enterprises; it decreases development time, increases efficiency, and accelerates time-to-value in emerging development areas like containers and serverless architectures.
But it isn't necessarily secure. In its annual State of Open Source Security report, Snyk found an 88% increase in open source application vulnerabilities during the past two years, with four times as many vulnerabilities discovered last year in Linux distributions from Red Hat, Debian, and Ubuntu than the year before.
In an effort to improve application security by preventing flawed open source code from causing application compromises, Trend Micro this week announced a new partnership with Snyk to integrate its vulnerability database covering code-reusage repositories and open source within Trend Micro's vulnerability intelligence and Deep Security container code-scanning solution.
For application developers, the upshot is that if an open source vulnerability is detected during a code scan, there's no need to stop a build. Using Snyk's open source vulnerability database, Trend Micro will detect a vulnerability in the build pipeline, and can shield against exploit of the vulnerability when the container is deployed. Snyk provides the developer tools to enable remediation, so developers can easily fix open source vulnerabilities in their code.
The move builds on Trend Micro's long-term initiative to "shift left" with cloud application security, building on its leading position in post-deployment cloud workload security by adding features for pre-deployment security in the CI/CD pipeline. Last year it released Deep Security Smart Check, a malware- and vulnerability-scanning tool that examines in-registry container images, and followed up this year with additional pre-deployment capabilities such as image scanning, and additional runtime capabilities such as protecting Kubernetes and Docker platforms.
Snyk isn't as well-known as Trend Micro, but is quickly earning a reputation as a leading provider of open source vulnerability and remediation tools. In September, Snyk landed a new $70 million influx of venture capital funding, coming on the heels of a $22 million the year prior. It has more than 200 employees.
"Trend Micro is placing early bets to advance cloud security and connected defense," INT005-000012 (June 2019)
"Trend Micro starts to flesh out its XDR story," INT005-000026 (August 2019)
Eric Parizo, Senior Analyst, Infrastructure Solutions