Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Over the years, we have framed our Application Security features against market-defined product groupings such as Web Application Firewall (WAF), DDoS Mitigation, Bot Management, API Security (API Shield), Client Side Security (Page Shield), and so forth. This has led to unnecessary artificial separation of what is, under the hood, a well-integrated single platform.

Financial institutions face a tricky balancing act: they need to innovate quickly while also following strict compliance rules in an environment where security is paramount. Recently, Snyk's Field CTO, Steven Schmidt, sat down with Mihai Saveschi, Senior Director of Security Service Management at CIBC, for a fireside chat to discuss these pressing issues. We’ve pulled key insights from their conversation on some of the most pressing AppSec challenges facing financial services organizations today.

Imagine building a high-tech security fence around your house but leaving open doors and windows with crumbling roofs. Would you still feel safe? That’s precisely what happens when organizations deploy Runtime Application Self-Protection (RASP) without Vulnerability Assessment and Penetration Testing (VAPT). Many security leaders assume that because RASP offers real-time threat detection and mitigation, it eliminates the need for proactive security testing. But this is a dangerous misconception.

Dynamic Application Security Testing (DAST) is a cornerstone of web application security, allowing organizations to detect vulnerabilities that are actually exploitable in runtime – minimizing false positives. However, managing security findings across multiple tools can prolong risk assessments, prioritization, and remediation. Jit users who want to leverage Invicti, one of the best DAST solutions in the market, have had to manage security findings in a completely separate interface.

Security posture management has become exponentially more complex for organizations developing and managing a vast ecosystem of applications. Evolving architectures like microservices, hybrid cloud infrastructures, and frequent release cycles introduce constant change and challenges. Amid these growing challenges are the existing security gaps organizations are struggling to address.

The tj-actions/changed-files GitHub Action, which is currently used in over 23,000 repositories, has been compromised, leaking secrets through workflow logs and impacting thousands of CI pipelines. All tagged versions were modified, making tag-based pinning unsafe. Public repositories are at the highest risk, but private repos should also verify their exposure.

Security teams are overwhelmed. Whether it’s alert overload, a growing backlog of vulnerabilities, or fragmented security data, there’s no finish line in sight. The State of Software Security 2025 report reveals that security debt is rising and flaws times are increasing. Meanwhile, the traditional tools many teams leverage fail to provide the context needed to track risks across the application lifecycle and, importantly, to prioritize them.