Today, Cycode is thrilled to announce a new SAST enrichment integration with Wiz! The new integration allows customers to combine their Cycode SAST findings with Wiz’s cloud posture and runtime insights, offering a comprehensive security view across the entire application lifecycle.
The SAST enrichment extends Cycode’s existing technical integration with Wiz. Our joint customers can now pull both container image vulnerabilities from Wiz into Cycode and send Cycode SAST (Static Application Security Testing) findings back to Wiz. This two-way communication provides unparalleled code-to-cloud visibility, enabling teams to manage risks more effectively across the entire application lifecycle.
“We’re thrilled to welcome Cycode to the Wiz Integration Network (WIN) and deepen the capabilities of our partnership. This new SAST integration closes critical gaps between CloudSec and AppSec, enabling teams to seamlessly manage security risks across cloud and code. By combining Wiz’s contextual cloud insights with Cycode’s advanced scanning and SDLC visibility, we’re empowering customers to tackle vulnerabilities faster and more effectively, driving better collaboration and stronger security outcomes,” said Oron Noah, VP Product Extensibility & Partnerships, Wiz . “Cycode is excited to deepen our partnership with Wiz. We’re each leaders in CNAPP and ASPM respectively and this partnership will deliver a comprehensive code to cloud solution for our customers,” said Lior Levy, CEO, Cycode.
In this post, we’ll explore how the integration works, the challenges it addresses, and the differentiated value it yields for customers.
The Growing Demand for Code-to-Cloud Security
Cloud-native architecture has been the foundation of modern software development delivering speed, scalability, and robustness that developers are eager to harness. But with these benefits comes the challenge of managing vulnerabilities that span code, containers, and cloud infrastructure. Companies use specialized tools to address security in each of these areas, but fragmentation remains a problem with security data siloed, leaving teams without a unified view of risks or a way to prioritize vulnerabilities. As a result, critical issues go unaddressed, leading to increased security exposure and potential data breaches.
How the Cycode-Wiz Integrations Work
The integrations between Cycode and Wiz are built to bridge security gaps across the development and runtime environments.
- Container Image Vulnerabilities in Cycode: Cycode users can pull container image vulnerabilities from Wiz directly into the Cycode platform. This allows security teams to correlate these container vulnerabilities with their exposure paths and origins in the source code, adding essential runtime context to application security management. Cycode’s powerful Risk Intelligence Graph (RIG) provides a flexible query language to filter and correlate Wiz vulnerabilities across the SDLC. In the examples below, Cycode is able to trace Wiz container image vulnerabilities back to the code commits and responsible developers.
- SAST Findings in Wiz: The integration also allows Cycode to send SAST findings to Wiz, enabling users to view code vulnerabilities within the broader context of cloud posture and runtime insights. With this capability, teams can see how specific code issues may impact cloud workloads, providing a more comprehensive understanding of risk across their cloud environments. The examples below show examples of Cycode SAST findings and the associated context displayed within the Wiz platform.
This integration brings critical insights from both tools into a unified framework, making it easier for security and DevOps teams to prioritize, remediate, and monitor vulnerabilities based on their relevance to the full application lifecycle.
What This Means for Cycode and Wiz Customers
The Cycode-Wiz integration brings powerful new capabilities to joint customers, enhancing the overall security posture of cloud-native applications. By providing a consolidated view of vulnerabilities across the code, container, and cloud layers, this integration supports faster, more informed remediation of the most critical application security risks. Some of the many benefits to joint-customers are below:
- Code-to-Cloud Visibility: This integration provides a comprehensive security view, aligning Cycode’s SAST findings with Wiz’s cloud and container insights for full lifecycle visibility.
- Enhanced Risk Prioritization: With a holistic view of code and cloud vulnerabilities, teams can prioritize their efforts more effectively. By understanding the full context of each vulnerability, they can focus on remediating those with the greatest potential impact on application and cloud security.
- Streamlined Remediation: The integration centralizes vulnerability data in both platforms, allowing security and DevOps teams to access the same information in their preferred tool. This reduces context-switching, making it easier to identify and resolve critical issues efficiently.
As cloud-native applications continue to evolve, so too does the need for seamless integration and real-time visibility across security tools. Cycode and Wiz are committed to helping organizations meet this demand by providing the tools they need to protect critical assets in dynamic environments.
Complementary Technologies with Independent Approaches
Modern development and the adoption of containerization, IaC, and GitOps do require treating programmable infrastructure components the same way as a piece of software as they move through the development and deployment process. Therefore, these components need to be secured the same way software is, and issues need to be addressed as early as possible in development.
CNAPPs were designed to be an “end-to-end cloud-native security solution that combines key functionalities like posture management, workload protection, runtime protection, and data security” and represented a consolidation and evolution of multiple cloud security technologies. CNAPPs excel at securing everything in the cloud, but not everything that happens during development is cloud-based. This is where ASPM plays a crucial role for an organization’s security posture. CNAPPs and ASPMs serve different purposes and should operate independently to maximize effectiveness:
- Different DNA: CNAPP’s core DNA is to secure everything that happens within the cloud and with some ties into both DevOps and SecOps workflows. ASPM’s core DNA, on the other hand, is to secure everything in development, the code artifacts, and the software factory process that turns organic and third-party code artifacts into running applications in production across ANY environment: cloud, on-prem, or hybrid.
- Developer Security Context: Given the blurred lines between application and infrastructure in the age of cloud native, while there are overlaps into development workflows where container and infrastructure-as-code security capabilities do span across both development and cloud, CNAPP has no application layer context the way ASPM does.
- Developer Experience: Modern application security solutions focus on developer experience with the ability to integrate across the SDLC to meet developers where they live. ASPM was purpose-built for the end-to-end developer experience with all the common SDLC integrations.
- Discovery and Inventory: Discovery and inventory in development are very different than in the cloud. CNAPP’s discovery and inventory function was designed to discover and manage all cloud assets and group them under cloud accounts and subscriptions. Discovery and inventory in development is more nuanced and requires careful grouping and CMDB mapping to attribute code artifacts to repositories, projects, branches, development teams, and developers.
Get Started with the Cycode-Wiz Integration
Joint customers of Cycode and Wiz can begin taking advantage of this integration today. To learn more about how the Cycode-Wiz bi-directional integration can help your organization achieve end-to-end security coverage, reach out to our team at [email] for setup support or additional information.
If you’re excited to discover how your Security and Dev teams can achieve Peace of Mind with the only complete ASPM, don’t hesitate to get in touch and take it for a test drive! Book a demo now to find out how we can help you achieve faster time to value, reduce critical vulnerabilities, and remediate faster.
