Snyk’s Clinton Herget on Shifting Security Into the Developer Path in the AI Era

Clinton Herget, field chief technology officer at Snyk, said the growing adoption of artificial intelligence-driven software development is highlighting the need for government agencies to integrate security directly into developers’ critical path or environment.

What Is Developer Security?

In an article published on Carahsoft.com, Herget described “developer security” as the practice of securing the software development process itself.

“That means helping developers understand the implications of the decisions they’re making when they’re making them,” he wrote. “Rather than reading a report weeks later, they should receive a notification in real time inside their integrated developer environment, with guidance on how to fix the issue.”

Herget also detailed how Snyk’s platform provides developers with a unified view of potential security risks.

“Snyk’s platform has a suite of analysis engines that look at all the sources of risk in modern software, which can include open-source dependencies, the code itself, the containers, the cloud infrastructure and, increasingly, the AI assets. We pull all those insights together to give a cohesive view of the potential risks, along with advice on how to address those risks,” he explained.

What Are the Steps to Ensure Software Security & Quality?

According to Herget, the first step for agencies is gaining visibility into development processes. They need to understand whether code is produced by humans or machines, what checkpoints it passes and whether proper controls ensure compliance with security requirements.

“The next step is prioritization in terms of collecting information and determining how to manage those quality issues. The final step involves governance and policy, which means understanding how you are managing not just the software assets, but the processes and pipelines that are used to build them,” the field CTO said.

The Snyk executive noted that many government teams have adopted software factories to keep pace with private-sector development by embracing containerization, infrastructure as code and other modern technologies.

According to Herget, the challenge now is securing these software factories. Agencies should determine whether the right guardrails are in place and whether developers are empowered to make informed security decisions, as well as understand how to mitigate risks as they build.