Sysdig and Snyk use runtime intelligence to eliminate vulnerability noise

By Daniella Pontes - FEBRUARY 16, 2022


Snyk Sysdig partner

One of the greatest challenges in cloud environments today is to ensure rapid development cycles while keeping up with security vulnerabilities. Sysdig and Snyk announced today a partnership to deliver integrated code to container runtime security that eliminates up to 95% of vulnerability alert noise, optimizes remediation, and protects runtime. Developers can be fast with security barriers removed, and yet without sacrificing security.

Vulnerability overload undermines security and productivity

The accelerating pace of cloud-native development is enabling faster innovation, but it is also leaving behind an increasing vulnerability backlog. Developers are overwhelmed with vulnerabilities without knowing their actual risk and where to focus remediation efforts. Just trying to make sense of the noise already takes precious time away from coding. Not to mention the frustration of dedicating time to vulnerabilities that don’t matter because they incur no real risk.

Security and operations teams monitoring runtime environments are also awash in vulnerability alert noise. Wasting resources on triaging vulnerabilities has a high price. It takes attention away from real threats.

The Sysdig 2022 Cloud-Native Security and Usage Report revealed that as much as 75% of containers with “high” or “critical” patchable vulnerabilities run in production. Vulnerability overload clearly makes remediation unmanageable, resulting in organizations having to deal with an uncomfortable average of about six months to remediate. This leaves a dangerously large window of exposure to vulnerabilities that can be actively exploited by threat actors.

Patchabe vulnerabilities

Fixing all vulnerabilities is an unrealistic goal, yet giving up on timely remediation is a dangerous bet. Prioritization is required.

Filtering out the noise with runtime intelligence

Snyk is the leader in developer security. With Snyk Container, developers get security feedback throughout the development process guiding them to build containers on more secure base images. But vulnerabilities are practically endemic in today’s applications assembled with open-source and third-party packages. The result is environments with tens of thousands of vulnerabilities in packages included in containers.

However, containers are often bloated with contents and packages that are not used when the application runs. So, trying to prioritize vulnerabilities without an upfront cut-off — to separate what matters from what just simply doesn’t — results in what you get from existing prioritization approaches. Noise in, noise out. That is why vulnerability overload pain is so prevalent. And, that is where Sysdig Secure container runtime security intelligence comes into play.

Sysdig is driving the standard for cloud and container security. We pioneered cloud-native runtime threat detection and response by creating Falco, the open-source standard for continuous risk and threat detection across Kubernetes, containers, and cloud. Applying Sysdig’s runtime risk intelligence from containers in production, vulnerability noise can be reduced by as much as 95%. This much-needed noise elimination is achieved by focusing on vulnerabilities affecting packages that are actually used when the container is running. These are the ones to fix first because they are at real risk of being exploited.

Runtime packages identified by Sysdig

Integrated prioritization enables optimized remediation

As evidenced by the persistently large number of vulnerabilities found in production, previous prioritization approaches render vulnerability reports still polluted with noise. Without the runtime context, developers end up overwhelmed by low-risk or irrelevant vulnerabilities, and may even waste resources fixing them. And, what’s worse, developers may miss critical vulnerabilities, leaving them unpatched, which can lead to breaches.

With Sysdig and Snyk integration, developers can focus. The runtime context pinpoints exploitable packages that are active in production applications. Because developers can now clearly see the few issues that cannot wait, they get more committed to remediating faster. Less guesswork and more done.

Snyk Container filtering running packages

Bridging the gap between development, security, and operations

We are very happy to partner with Snyk because a secure DevOps culture is fully embraced when it delivers a positive impact across teams. With our partnership, all teams get what they need to develop and run secure cloud-native apps while removing the barriers standing in the way of faster innovation.

The container security runtime integration is a good example of bridging gaps and delivering great value to developers, security, and operations. By providing container runtime visibility from production back to developers, vulnerability noise is eliminated and critical issues are fixed faster. With risk mitigated more efficiently, SecOps improves the organization’s risk exposure and can better focus on detecting early signs of threats. Plus, developers gain time back to code, advancing business goals.

From managing vulnerabilities to detecting and responding to real-time threats as well as monitoring and troubleshooting cloud-native environments, Sysdig and Snyk deliver the most comprehensive security to:

  • Secure containers from code to runtime: Integrate security into the container and Kubernetes lifecycle — from secure base images to vulnerabilities prioritization, to detecting real-time threats and new vulnerabilities at runtime.
  • Build secure from the start: Address vulnerabilities and remove unnecessary packages right in the build process based on what is really necessary for production.
  • Have runtime protection: Make sure that threat detection is in place to protect against attacks until new critical vulnerabilities and vulnerabilities targeted by zero-day exploits are remediated.
  • Unify prioritization: Get a unified view of risk, pairing runtime context with vulnerability checks, to prioritize alerts that matter. Developer and operations workloads become manageable when teams know what needs to be fixed now, versus in a week, and what is just simply noise that can be ignored.

Snyk and Sysdig are the first to bridge developer, security, and operations silos. When better security delivers increased productivity, it creates the perfect conditions for innovation, growth, cost savings, and customer satisfaction.

Check out the Snyk blog post on our shared vision to enable DevSecOps and the importance of this new integration.

Learn more about Sysdig and Snyk

Want to learn more and see our solutions in action? Request a demo or join us for one of our upcoming webinars:

Subscribe and get the latest updates