Automated Developer-First Security: Our Partnership with Snyk

Today’s developers move at increasingly rapid speed – making it more critical than ever to identify and resolve code vulnerabilities early in the software development lifecycle.  By tackling security early – instead of waiting until testing and deployment – engineering teams can reduce unnecessary patching and maintenance cycles, reduce risks, and ensure timely delivery of new features.

Many of our customers rely on Snyk’s developer first security to keep their applications, dependencies and infrastructure-as-code free from vulnerabilities.  Snyk’s integration into the tools developers use to write and deliver code ensures security issues are caught and remediated as early as possible.  

We’re excited to announce our partnership with Snyk as a member of their TAPP initiatives. As a Snyk TAPP member, we are able to build, integrate, and go-to-market as quickly as possible with new solutions that address the most pressing security challenges we face with modern application development and technologies.  

Torq’s no-code automation extends the power of Snyk to any combination of security and collaboration tools in the enterprise.  Developer and security teams alike benefit from automated Torq workflows that can be deployed in a few clicks from our hundreds of templates, or created with a drag and drop workflow builder.  These workflows help ensure that Snyk’s findings are triaged, assigned and remediated – no matter the speed  or scale of application delivery. 

Orchestrate Application Security at Speed and Scale

When Snyk detects new vulnerabilities, tracking this in a ticketing system like Jira is critical to ensuring teams have the knowledge and visibility to remediate the issues.  But it’s easy for tickets to become overwhelming, especially at the pace of modern engineering and DevOps teams. Without effective prioritization and escalation – it’s difficult to know what to fix first – leaving your applications at risk.

Connecting Snyk and Torq will solve this problem, by orchestrating ongoing triage, prioritization, and escalation workflows. This will keep ticket owners up-to-date on the latest critical and high severity issues Snyk will detect and escalate unresolved tickets after a set time period to make sure that vulnerabilities are addressed

How it works

Torq’s template library contains hundreds of templates for almost any security process.  With just a few clicks, users can import templates into their Torq environment, then easily connect the workflow to their own tools, or make customizations as needed.   Below is an example of a template that uses Snyk, Jira and Slack.  

To get started, simply provide a Snyk API key to Torq, and connect your Jira and Slack instances.  Then add the template from Torq’s template library.  This will give you a workflow that does the following on a daily basis:

  1. Identifies all projects in Snyk that have unresolved issues with severity Critical or High
  2. For each project, verifies that there is a Jira ticket open and assigned. If no Jira ticket is found, one is automatically created and assigned to the Snyk project owner.  Notifications for new tickets are then sent to owners using Slack
  3. For any tickets open longer than 48 hours, a Slack message is sent to the security team.  This message contains two buttons – one to remind the ticket owner, and one to escalate the issue. The recipients and time period are fully customizable – and can be changed in just a few clicks.
    1. If escalation is chosen, a Slack message is sent to the owner’s manager or another specified escalation point.
    2. If a reminder is chosen, a Slack message is sent to the ticket owner.

This process ensures that high and critical vulnerabilities are kept visible to code owners, engineering managers, and security teams – so fixes can be prioritized and delivered.  By automating this process, manual work of reviewing Jira tickets, matching Jira tickets to Snyk issues, and sending reminders or escalations is eliminated.