Sergey Nvns - Fotolia

Developer-first security raises Snyk's tides, among others

Armed with a developer-first focus on security, Snyk has been able to draw $300 million in new funding. It also quadrupled its valuation to $4.7 billion in just over a year.

Security software provider Snyk has snagged $300 million in additional funding and quadrupled its valuation to $4.7 billion since early 2020, indicating the market is ripe for apps built with security in mind from the outset.

Snyk sells what it calls "developer-first" security products, which means the tools it provides enable developers to build more secure software without having to do anything more than code as usual.

"We built a tool that's fully integrated into the software development lifecycle," said Peter McKay, CEO of Boston-based Snyk. "So, developers don't have to be security experts, they just have to understand to test along the way and we'll prioritize and auto-remediate any issues for them. We have a maniacal focus on developer productivity."

It's that maniacal focus that led to the valuation Snyk is experiencing. "We wanted to embed security without slowing developers down," McKay said.

The high valuation validates what Snyk has been doing for the last five years, he added.

"That's a huge valuation, especially when you consider that it was valued at $2.6 billion only six months ago," said Sandy Carielli, an analyst at Forrester Research. "The markets that Snyk plays in, particularly software composition analysis [SCA] and container security, are fairly high-growth areas."

Snyk was at first better known to the development community than the security community. However, in the past year, Snyk has invested heavily in reaching the latter through partnerships with a range of well-known security vendors, including Trend Micro, Akamai and Rapid7, Carielli said. Snyk has also licensed its vulnerability database to many other security vendors.

Meanwhile, other key players in the software composition analysis world include WhiteSource, Synopsys and Sonatype. In the container security and serverless security areas, other key players are Palo Alto Networks and Aqua Security, with Carbonetes as an up-and-comer. Snyk is also well known in these markets.

Intersection of 2 security trends

Snyk is able to command so much attention because of its focus on the intersection of two important cybersecurity trends: open source application security and cloud-native application security, said Jason Bloomberg, an analyst at Intellyx, in Suffolk, Va.

Open source security is particularly challenging because of the extensive use of third-party code, which may not be properly secured.

Jason Bloomberg, analyst at IntellyxJason Bloomberg

"Any open source-dependent application will also have many typically obscure dependencies, as one package depends upon another," Bloomberg said. "Ensuring all the versions are up to date and no vulnerabilities remain in the code is a critical challenge. Given cloud-native infrastructure is extensively open source-based, the same challenges apply there as well. Snyk is well positioned to take advantage of these trends."

Snyk's developer-first approach provided a differentiator when it first launched, but in the last few years many competitors that focused more on the security persona have invested in the developer experience.

Thus, "Snyk will see a lot of these vendors pushing into their narrative," Carielli said. "This type of funding and valuation doesn't go unnoticed -- their previous funding rounds had already attracted attention."

A rock star

Some observers give a good deal of credit for Snyk's success to its CEO.

"As for the valuation -- wow, I'm super impressed with their performance over the past 1.5 years since Peter McKay took the role of CEO, said Dave Gruber, an analyst at Enterprise Strategy Group (ESG), in Milford, Mass. "But Peter is a rock star, so I expected big things."

In addition to the funding news, Snyk also introduced new additions to their executive staff, including Jeff Yoshimura as CMO. "Jeff Yoshimura as CMO is a big add," Gruber said. "He did a great job leading marketing at Elastic through their IPO."

This Series E round of funding for Snyk was co-led by Accel and Tiger Global, with participation from existing investors Addition, Boldstart Ventures, Canaan Partners, Coatue, GV (formally Google Ventures), Salesforce Ventures, Stripes and funds managed by BlackRock. Meanwhile, new investors include Alkeon, Atlassian Ventures, Franklin Templeton, Geodesic Capital, Sands Capital Ventures and Temasek.

"I think that the valuation and the interest in Snyk comes not only from our existing investors who have been incredibly happy about the journey, but also new investors like Atlassian and Google and Salesforce," McKay said. "These are customers first, and investors second."

A maverick approach pays off

Overall, this is "very aggressive" funding for an AppSec company, Gruber said.

"Snyk has flipped AppSec on its head, driving a developer-first approach," he said. "When developers get in the driver's seat regarding choosing a preferred approach to AppSec, security becomes deeply engrained in the development process."

Snyk has flipped AppSec on its head, driving a developer-first approach.
Dave GruberAnalyst, ESG

So, while Snyk began with a focus on Source code analysis, it has expanded into scanning containers for vulnerabilities and Kubernetes and Terraform infrastructure as code for configuration issues. The company also offers a static application security testing solution.

"Two things really set Snyk apart," Gruber said. "First, they built the entire platform from a development perspective versus a security perspective. This means that every decision is a 'developer-first' decision, meaning 'how would a developer want to approach this problem.' They also put a huge developer focus on their vulnerability database -- which is the intelligence that underlies their platform."

In addition, when Snyk reports an issue or recommends a remediation, the software describes it in a level of detail that developers can easily understand. The platform then provides automation that makes it easy for the developer to implement the remediation.

This matters, Gruber said. "When developers embrace an AppSec solution, usage goes up and issues go down, resulting in more secure apps delivered faster, and that is the endgame for application security."

Indeed, that is the goal for Snyk, to scale its offering to all the 27 million worldwide developers that the company identifies as in its potential market.

Investors who saw the value of the Snyk vision reached out to the company to help ensure that it could meet its goals by supplying funds for Snyk to continue to grow, McKay said. "They said they didn't want [a lack of] cash to be the reason we don't go in and grab the 27 million developers around the world. He who grabs the most developers will win the day. And that's our focus."

Meanwhile, Gruber cites some mature players among Snyk's competitors, including Veracode, Synopsys, HCL AppScan, Micro Focus Fortify, WhiteHat and Checkmarx. Additional up-and-comers include Contrast Security and Apiiro.

Scaling application security

Snyk expanded from its original Snyk open source security product to add three more offerings to its product line: Snyk Container, Snyk Infrastructure as Code and Snyk Code.

This latest infusion of capital will enable Snyk to grow faster at every level, including product development, expanding the vulnerabilities database, adding to the customer roster and recruiting talent to the company, said Guy Podjarny, co-founder and president of Snyk, in a blog post. Snyk will partner more developer-first companies like Atlassian, Datadog, Docker, Dynatrace, Red Hat and others to build security into the fabric of software development, he added.

Snyk also will use its new funding to expand into Asia-Pacific and Japan, which are expected to see strong growth in developer population.

Enterprise Strategy Group (ESG) is a division of TechTarget.

Dig Deeper on Agile, DevOps and software development methodologies