As enterprises continue to undergo digital transformation, rapidly delivering secure software has become a necessity. Essential to this goal is the ability to measure and manage application risk across a large number of projects and development teams. In this post, we’ll cover two insightful talks from SnykCon 2021 about risk management and measuring key risk indicators for enterprise applications.

Here at Snyk, we spend a lot of time researching vulnerabilities. We do that because there are a lot of other folks out there researching new ways to break into apps and systems. We’re often putting on our “grey hats” to think like a malicious hacker. I regularly view-source, look at network traffic and eyeball query strings. One such delicious little query string caught my attention this week on one of the many copycat Wordle sites.

Snyk’s developer security platform provides developers and security professionals with the tools they need to build and operate modern applications securely. Snyk enables users to shift security left and to embrace a DevSecOps model. Modern application development teams understand that shifting left means bringing information to developers’ fingertips as early as possible in the development process to create efficient and secure applications and development processes.

Since organizations around the globe began investing more aggressively in their digital transformation by migrating and modernizing applications within the cloud, the value of audit logging has shifted. It has expanded from industries like finance and healthcare to nearly any company with a digital strategy.

What do Linux vulnerabilities and natural disasters have in common? Something seemingly dormant can suddenly spring to life, exposing activity beneath the surface. Several days ago, a security researcher published a high-severity vulnerability named PwnKit that impacts most major Linux distributions. The scary part? It’s existed since May of 2009. Polkit is a component for controlling privileges in Unix-like operating systems and is included by default on most major Linux distributions.

Building an application security program can be overwhelming. The steady stream of content encouraging teams to shift left is inspiring, but it doesn’t help you get started. Looking toward organizations with mature AppSec initiatives can make the gap seem insurmountable — all while an actionable plan remains elusive. Like anything else in software development, application security is a journey. A journey that’s much more enjoyable with some guiding principles.