How Snyk fails

Jack of all trades but master of none

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by Erik Mclean on Unsplash

I’m continuing my series on how certain security companies fail. I’ve mostly talked about public companies, such as Crowdstrike, Zscaler, Okta, etc., but I haven’t talked much about startups partially because startups are more likely the fail. Therefore, the arguments might be obvious or plain boring, e.g. the company struggles to scale, or some other generic argument that leads to most startup failures.

Given the recent startup shakeups and “bubble,” there are mature startups that have stood out in the noise. Most notably, they were startups that had commanding positions in their spaces and managed to continue to grow despite macroeconomic conditions. One of the companies is Snyk, which is in the application security space. They have dominated in recent years, truly one of the more developer-focused tools, shifting alerts and remediation closer to development where issues are cheaper and easier to fix. The key is that they made application security part of the development process, especially with the rise of agile and more frequent deployments, rather than an afterthought or a checkbox.

Honestly, it’s hard to imagine what would happen to security if Snyk were to fail. That’s why I believe this is an interesting intellectual exercise. For disclosure, I’m a huge fan of Snyk. I use it in my current role, and I’ve used it in my previous role. I’ve even evaluated other products, but Snyk has always made its way into my stack. I’ll explain more later. With that said, I believe Snyk will do well, but with all startups, failure is always possible.

What is Snyk?

Snyk is an application security product meant to help developers fix security issues more quickly. It runs in your CI/CD so that it can detect issues before they reach production.

Their first and core product is the software composition analysis (SCA) tool, which is key for compliance. An SCA tool helps detect vulnerabilities in dependencies and issues with open-source licenses. A key innovation is that they are able to do these scans quickly whereas more “legacy” products took much longer, and also, they have their own in-house research teams that help provide more context to make alerts easier to prioritize and subsequently fix.