Investing in Snyk, a Developer-First Security Solution

As all companies are becoming software companies, enterprises face immense competitive pressure to deploy new features at speed and scale. Organizations are orienting themselves to optimize the productivity of the development organization, as their output sets the pace for the company’s growth. Yet such rapid scaling also carries inherent challenges to enterprise security. As a company’s digital footprint grows, so does its attack surface—increasing demand for ramped-up fortification, with application security spending expected to rise to $7.1B by 2023.

Under traditional IT-led approaches to security, unfortunately, reviews are performed at the end of the development cycle, forcing developers to address vulnerabilities days or weeks after they wrote the initial code and sometimes to perform multiple iterations. Thus, the security review becomes a bottleneck in the software development lifecycle (SDLC), creating not only tension between development and security teams but also costly delays.

When we first met Guy Podjarny, founder of Snyk, it was clear he’d had his finger on the pulse of the rapidly transforming developer ecosystem long before others in the space. He and his team recognized years ago that the solution to this challenge was to flip the order of operations and shift security “left” to the first steps of the development lifecycle. In doing so, he built a security tool designed for the developer organization instead of the security organization.

While traditionalists viewed IT security and software development as distinct, siloed workforces, Guy saw the opportunity to seamlessly merge their efforts to suit the evolving digital hierarchy. To effectively embed security into developers’ work, however, the experience must be frictionless. Adopting the Japanese poka-yoke approach to error prevention, Guy and his team purposefully built Snyk to fit seamlessly into developers’ integrated development environments (IDEs), allowing them to code as usual while being alerted to security needs in real time. That way issues could be addressed at the onset, saving valuable time and reducing risk across the board.

Initially, Snyk was focused on applying this technique to identify vulnerabilities in open-source code. Today, they have evolved to apply it to testing source code, containers, and infrastructure as code as well.

In embracing developers, Snyk also was early to market their product directly to them as a “B2D” model that drove tremendous bottom-up growth. CEO Peter McKay, a seasoned executive, further scaled the company by growing its enterprise presence and establishing it as a leader in the DevSecOps space, where “developer-first security” is now mainstream.

Seeing the complementary leadership styles in Guy’s visionary perspective and Peter’s operational expertise, we were excited to partner with this innovative firm as it continues to blaze the path forward to transform the legacy cybersecurity industry. We’re thrilled to announce Citi Ventures’ investment in Snyk as part of its latest fundraising round, alongside Tiger Global, Accel, Boldstart, GV, Coatue, Stripes, Addition, and Salesforce Ventures.

With the developer-first security movement still in its early innings, we look forward to what the future holds for the entire Snyk team!

For more information, email Matt Carbonara at matt.carbonara@citi.com.