Developer security platform provider Snyk announced today that it’s entering the cloud security market with the acquisition of Fugue, in a move to make it easier for developers to secure the cloud infrastructure that’s needed to run applications, Snyk cofounder and president Guy Podjarny said.

Snyk specializes in offering tools for scanning and fixing code — built to be familiar to developers — that are meant to be woven into the developer process. Fugue brings capabilities for detecting misconfigurations in cloud infrastructure, with its solution for cloud security posture management (CSPM).

By combining with Fugue’s technology, the Snyk platform will be able to provide developers with “continuity all the way from their code to the cloud deployments,” Podjarny said in an interview.

With its rapid growth, marquee customer list, and soaring valuation (of $8.5 billion), Snyk is one of the most prominent companies in the DevSecOps space. DevSecOps is an approach meant to improve application security by aligning development, security, and operations — enabling apps to be secured from their inception.

CSPM, meanwhile, has become an essential tool for many cloud-focused enterprises — given that misconfigurations are the predominant cause of data breaches in the cloud. According to Gartner, more than 99% of breaches in the cloud are attributable to a misconfiguration or other mistake.

“To equip developers with building secure software and owning it, they have to go past the pipelines into understanding what is deployed,” Podjarny told VentureBeat. “[That includes] understanding what security mistakes are deployed — so they can own that and they can help secure it.”

Terms of the acquisition for Fugue weren’t disclosed, but Podjarny said it ranks as one of the biggest acquisitions by a company in the DevSecOps space to date.

Infrastructure-as-code

Founded in 2013 by Josh Stella, formerly a principal solutions architect at public cloud front-runner Amazon Web Services (AWS), Fugue originally aimed to offer its technology as an infrastructure-as-code (IaC) solution, before pivoting to security. But that core approach of “thinking about the cloud as code” at Fugue is a great match with Snyk, which counts IaC security among its focus areas, Podjarny said.

While Snyk looked at other providers of CSPM, as well, the company found Fugue’s origin in IaC “to be far more aligned with our dev origins, than the companies coming at it from the IT security lens — who are trying to apply [data center security] principles to the cloud,” he said.

All of which means that Fugue is the “best CSPM solution for an infrastructure-as-code-enabled infrastructure,” Podjarny said.

Stella, who has joined Snyk as chief architect, said that combining Fugue and Snyk will ultimately give developers a “complete line of sight — from source code all the way through into the system as it’s functioning.”

Bringing together security tools for the development process and cloud infrastructure is ideal, he said — because for cloud-native development organizations, the configuration of the cloud is largely a side effect of the application.

Stella said that when he connected with Podjarny, “immediately we saw things the same way. And I think there’s going to be some really interesting stuff that we can do — uniquely — because we will have that complete understanding of the system.”

For now, Fugue will continue to be available as a standalone offering in a limited capacity, while Snyk begins the work of integrating the technology with its developer security platform. The aim is to be able to launch the integrated platform by early in the second half of the year, Podjarny said.

Growth spurt

With the addition of Fugue’s 40 employees, Snyk now has 1,200 employees in total. That’s nearly a threefold increase from the beginning of last year, when the Boston-based company had a headcount of 430.

Founded in 2015, Snyk has raised a total of $775 million to date, including the $530 million series F funding round in September that brought with it the $8.5 billion valuation.

Snyk isn’t disclosing specific details about its revenue, but Podjarny said the company had a faster rate of revenue growth in 2021 than in 2020 — a difficult feat as companies grow in size. “And we’re seeing that trend continue into Q1,” he said.

Prominent customers of Snyk include Google, AWS, Salesforce, Comcast, CVS Health, Atlassian, MongoDB, and Reddit. The company reports having more than 1,500 customers in total, and adds several dozen customers from Fugue, including AT&T, Ericsson, and SAP.

In terms of Snyk’s potential aspirations to go public – a December report from Bloomberg said that Snyk is preparing for an IPO as soon as the middle of this year — Podjarny said that “we eventually expect that we will be a public company. And we’re building and evolving the company accordingly.”

But he declined to say whether that could happen in 2022, saying that “we’re working to ensure that we are able to go public when the market’s circumstances are correct.”

Frederick, Maryland-based Fugue is the fifth acquisition for Snyk, coming after the company acquired CloudSkiff, FossID, Manifold, and DeepCode — all in the past 18 months.

Developer-first CSPM

Bringing Fugue’s technology onto the Snyk platform will provide customers with “developer-first CSPM,” the company said in a news release. That includes detection of vulnerabilities in workloads and automation inside of developer workflows to allow for greater efficiency in catching security issues earlier, Snyk said.

Because Fugue’s cloud security solution is “anchored in code and in software, when we tell you about a problem, we will tell you how it got there, and which dev team owns it, and what is the code that needs to be modified or augmented to make this problem go away,” Podjarny said.

Fugue also brings visualization capabilities — enabling developers to visualize their architecture and the various connections that are in place, as a way to better assess risk and prioritize issues, according to Snyk.

“The cloud context [from Fugue] will make the rest of the Snyk product better, by helping prioritize vulnerabilities that have a higher exposure in production,” Podjarny said. “That helps developers better use their time and better manage their risk within their organization.”

For example, bringing cloud context into the development process is useful so that after an application is developed, the developer can then know where that software is deployed, he said. And thus, if they were to add a vulnerable library, or they were to accept a vulnerability in their code, “what would be the production implications of that? Which assets might be exposed?” Podjarny said.

Ultimately, when it comes to cloud-native technologies such as containers and microservices, “the boundary between application and infrastructure is blurring,” Stella said.

“If you look at containers, if you look at serverless and the connections between those components — for example, in AWS Lambda — those are infrastructure, but they are the application architecture,” he said. “And so these worlds are merging. And I think that we’re uniquely well-positioned together to address the hard problems in in security going forward.”