Snyk to Acquire App Security Posture Management Startup EnsoBuying Israeli Firm to Give Snyk Clients Clearer View of Posture During Entire SDLC
Snyk plans to purchase an Israeli startup founded by members of Wix's application security team and backed by CyberArk to help organizations govern developer security.
See Also: Application Control for Dummies
The Boston-based developer security vendor said its proposed buy of Tel Aviv-based Enso Security will give clients a view of their application security posture during the entire software development life cycle, with prioritization that factors in both business impact and risk. The increased complexity of application environments and variety of tools and methods developers use to create code has made this a priority.
"With all the context and all the automation, developers are overloaded and things get overlooked," Snyk Chief Product Officer Manoj Nair told Information Security Media Group. "The AppSec teams are faced with an ever-growing backlog. That was one of the original ASPM use cases."
Bringing App Discovery and App Prioritization Together
Organizations struggle with discovering which applications have been created as part of the software development life cycle due to a lack of visibility into the pipeline and the assets themselves, Nair said. Snyk natively built capabilities around prioritizing which application vulnerabilities should be fixed first, while Enso has focused on discovering an organization's applications and controlling the coverage (see: Synopsys Extends Lead in Gartner MQ for App Security Testing).
"People have known unknowns. They know that they don't have good enough coverage."
– Manoj Nair, chief product officer, Snyk
Large enterprise and midmarket customers often have distributed application security teams and a tough time gaining visibility into their development tools, according to Manoj. He said the largest source of attacks in 2022 was through the software supply chain. Organizations that haven't full instituted DevSecOps are particularly susceptible to software supply chain attacks, Manoj said.
"People have known unknowns," Nair said. "They know that they don't have good enough coverage. They know that they don't have the issues being fixed. That's literally low-hanging fruit."
Enso also delivers the visibility needed to constantly find "unknown unknowns" and help customers drive down their software supply chain risk. Manoj said Gartner estimates that 40% of organizations will have application security posture management implemented by 2026.
"This is providing overall visibility and almost a workbench for their AppSec teams to better manage software supply chain security," Nair said.
Terms of the acquisition, which is expected to close by the end of the month, weren't disclosed. IT-Harvest estimated that Enso Security is worth between $6 million and $8 million based on available funding and revenue data. Enso has annual revenue of $5.2 million, or roughly $140,000 per employee, IT-Harvest estimated.
From Wix to Enso to Snyk
Enso Security was founded in 2020, employs 39 people and raised $6 million in an October 2020 seed funding round led by YL Ventures, IT-Harvest found. In May 2022, privileged access management firm CyberArk announced an investment in Enso from its newly created venture fund. Thirty-four of Enso's workers are based in Israel, while the other five work from the United States, according to LinkedIn (see: CyberArk Debuts $30M Venture Fund to Back Talented Startups).
The company's founding team all came from Israeli web development services vendor Wix. Enso CEO Roy Erlich was the head of application security there, Enso Chief Architect Chen Gour-Arie was a senior framework security architect and Enso Chief Technology Officer Barak Tawily was an application security engineer.
"One of the biggest challenges I came across as the head of AppSec in my career was surrounding risk - getting a clear picture of risk, prioritizing the business-critical risks, and then transforming that insight into clear action items and smart tasks for my team," Erlich wrote in a blog post.
As organizations increasingly tap into developers for finding and fixing security issues, application security teams need a toolkit that enables them to scale visibility and control to manage the security process, Nair wrote in a blog post. The Enso deal will allow security teams to scale their application security programs to every application and developer across the software development life cycle to free up developer time.
Snyk's 8th Acquisition in 9 Years
Going forward, Nair said, application security teams will be able to quickly gain visibility into what assets exist in their company and what tools are being used to test them using Enso's orchestration capability, automatic asset and controls discovery, and business impact classification. As a result, he said, application security teams will have automated policies and guardrails to help them collaborate with developers.
"By eliminating the need to manually seek out repos, artifacts and other assets and then roll out security tools to fill in gaps, security teams can focus their efforts on collaborating with developers and platform teams on secure development policies and guardrails, instead of playing catch-up," Nair said.
The Enso acquisition comes less than two months after Snyk executed its third round of layoffs since June 2022, axing 128 workers amid projections of challenging market conditions persisting into early 2024. Snyk in April revealed plans to reduce its more than 1,200-person staff by an estimated 11%. This came less than six months after Snyk had laid off 198 people and less than 10 months after it cut 30 staffers (see: Snyk Lays Off Another 128 Staffers as Economic Woes Persist).
This is Snyk's eighth acquisition since being founded eight years ago, according to Crunchbase. The company most recently purchased data analytics consultancy TopCoat Data in March 2022 and cloud security posture management vendor Fugue in February 2022 to help organizations manage compliance and security throughout the software development life cycle, according to Crunchbase.