Snyk

Web Security for Developers

Snyk: So Now You Know

• Developer Oriented Web Security Tools

• Application Security Monitoring & Prevention
• Based on code instrumentation & machine learning
• Product per threat: 3rd party, AppSec, privacy…
• “New Relic for Security”
 Developers Must & Will 

Own Security
• Coders outnumber security people by est. 50-100x
• In many cases (esp. small companies) security teams do not exist at all

• Security tools/vendors extremely not dev friendly

• Compare any Dev/Ops Tools companies to Security Tools companies…

• Security tools operate outside the app

• Whitelist policies are so hard to maintain they’re oft unused or too open

• Insight based on perimeter (eg HTTP, logs), app logic reverse-engineered

 Why Now
• Problem Is Getting Worse
• Dev velocity is increasing, making security audit “gates” not viable

• Infra/Host Security is now owned by dev/ops, and is poorly handled

• Unchecked Third Party code & domains account for >90% of application

• Developers are ready to take on Security

• Increasingly writing Operable Software (via DevOps)

• Security increasingly discussed in dev forums

• Increasingly empowered to drive decisions (“The New Kingmakers”)

 Snyk: Developer Oriented 

Security Tools Company
• Modeled after Dev-Friendly companies
• New Relic, Github, Heroku, PagerDuty, Travis CI, Fastly…

• Marketing Dev Relations & Community Participation

• Sales Team “Pull” Model (self-serve try, use, buy)
• Security Events Developer Events
• High Entry Price Free & Scaling Prices
 Third Party Code: 

A Massive Security Problem
• Most of the code in today’s web apps is 3rd party
• Backend Modules, Front-end domains, Underlying host software…

• Third Party Code is vulnerable too & often not tested

• Only 41% of reported vulns in open source are fixed, MTTR is 390 days

• Inventorying modules is hard; auditing is infeasible

• 3P domains are loaded dynamically, never tracked
• And may be vulnerable, or malicious (e.g. malvertisements)
 Founders
• Guy Podjarny
Cyber work in Israel @ IDF (8200); Developed first WAF (AppShield) @Sanctum; created
& led market leading DAST & SAST tools (AppScan) as Chief architect @Watchfire (sold
to IBM), ; Founded Web Perf startup Blaze; sold to Akamai; CTO @Akamai for 3 years;
~18 patents in Security & Performance; Known speaker/blogger; Startup Investor/advisor

• Danny Grander
CTO & Security Research Manager at Gita (acquired by Verint), a government/military
cyber vendor; Lead dev in Collactive (social ranking startup) & Skybox (Security tools
startup); Cyber work @ IDF (8200).

• Assaf Hefetz
Led innovation group at Supercom, a digital identity company, including tech side of M&A
activity; Researcher & developer in Skycure, a mobile security company; 6 years of Cyber
work at Israeli Prime Minister Office (PMO); Completed his Computer Science degree at
the age of 18.
 Market Size
• Markets
• Web Security: $2.5B, 5.7% CAGR

• SaaS portion: $600M, 10.8% CAGR

• App Vuln Assessment: $838M, 16.6% CAGR

• Automated SW Quality: $1B, 14.9% CAGR

• Comparable Companies Valuations

• APM: New Relic: $1.6B, AppDynamics >$1B

• WAF: Imperva: $2.1B

Source: IDC, 2018 Predictions