Most cloud security companies see application deployment as the start of the security journey, but in reality it’s the middle, says Snyk founder Guy Podjarny. “We think of code as the beginning, and we understand we need to go all the way to what is deployed,” he explained.

This outlines Snyk’s strategy as it pushes into the larger $77.5 billion market, and it explains why the developer-focused security vendor bought Fugue last week. “We aim to offer customers a complete journey from code to cloud,” Podjarny said in an interview with SDxCentral alongside Fugue CEO Josh Stella.

The companies did not disclose financial terms of the deal. Fugue raised about $85 million over eight funding rounds.

Fugue is a cloud security posture management vendor, and it recently developed a unified policy engine that connects cloud posture back to configuration code, using one set of policies to manage compliance and security throughout the entire software development lifecycle.

Adding its technology to Synk’s larger developer-focused security platform, which already finds and fixes vulnerabilities in open source, application code, containers, and infrastructure as code, will make the code-to-cloud security journey easier for customers, the two executives said.

“The difference in what we’re building is when we tell you about a problem that is deployed, we would immediately relate it using the great technology that Fugue built, to where it came from, where you should approach and fix it, and which dev team should you engage,” Podjarny said.

Plus, Fugue’s unified policy engine means that the combined platform will use consistent policies to secure the infrastructure as code as well as what’s actually deployed, he added.

“But then subsequently we would bring this cloud context information to a developer’s daily life that would make the broader Snyk platform more effective,” Podjarny said. “So when you are encountering a vulnerable library or vulnerability in your code, you would understand where it is deployed in production, what assets is it related to, and that would help you prioritize the work to address other security threats in your application.”

Additionally, the integrated technologies better reflect the way that organizations build — and need to secure — systems in the cloud, Stella said.

“The boundary between infrastructure and application is breaking down,” he said. In building modern applications, organizations use infrastructure configurations to access databases, or they build those databases as part of the application, and then they deploy applications using infrastructure as code, Stella explained.

“The old notion that you build out your infrastructure, and then you populate it with apps is turned upside down,” he said. “You’re building apps that instantiate their infrastructure, so of course you have to approach it in this way.”

Fugue “focused on the cloud API surface, and Snyk goes all the way back to the source code of the app,” Stella continued. “So I think we’re going to be able to show people the true boundary of the system, and that’s going to be just unique.”

Fugue is Snyk’s fifth acquisition in the last 18 months, and it follows a $600 million funding round last year that raised Snyk’s valuation to $8.5 billion.

This, combined with the vendor’s growing customer count and product development, validates Snyk’s approach to security, Podjarny said. The platform saw rapid adoption in 2021 with more than 300 million tests run by Snyk users and customers over 12 months and more than 30 million vulnerabilities fixed during the third quarter.

Plus, its Snyk Code product, a static application security testing tool that launched in late 2020, has “hundreds of global enterprises” that use the product as part of their development processes, according to the company.

“We’re seeing increasing appetite from our customers to tackle more and more security problems with a dev-first approach,” Podjarny said. “We’ve had 86% of customers in Q4 of 2021 purchase two or more products. And we’re seeing customers ask for more in a unified, holistic platform that is consistent — and consistently dev first.”