Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

March 2021

Application security automation for GitHub repositories with Snyk

Snyk provides a wide array of integrations and a pretty comprehensive API to enable you to deploy Snyk across the SDLC and monitor all the code your organization is developing. Of course – this is not always simple. At scale, ensuring Snyk is monitoring all your repositories becomes more challenging. As you grow, more code is added in the shape of new repositories. Not only that, existing repositories keep on changing.

Preventing YAML parsing vulnerabilities with snakeyaml in Java

YAML is a human-readable language to serialize data that’s commonly used for config files. The word YAML is an acronym for “YAML ain’t a markup language” and was first released in 2001. You can compare YAML to JSON or XML as all of them are text-based structured formats. While similar to those languages, YAML is designed to be more readable than JSON and less verbose than XML.

Secure coding with Snyk Code: Ignore functionality with a twist

When scanning your code with our secure coding tool, Snyk Code might find all kinds of security vulnerabilities. And while Snyk Code is fast, accurate, and rich in content, sometimes there is the need to suppress specific warnings. Typical example use cases arise in test code when you explicitly use hard coded passwords to test your routines, or you know about an issue but decide not to fix it.

SQL injection cheat sheet: 8 best practices to prevent SQL injection attacks

SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your database. There are different types of SQL injection attacks, but in general, they all have a similar cause.

Are we forever doomed to software supply chain security?

The adoption of open-source software continues to grow and creates significant security concerns for everything from software supply chain attacks in language ecosystem registries to cloud-native application security concerns. In this session, we will explore how developers are targeted as a vehicle for malware distribution, how immensely we depend on open-source maintainers to release timely security fixes, and how the race to the cloud creates new security concerns for developers to cope with, as computing resources turn into infrastructure as code.

Developer Driven Workflows - Dockerfile & image scanning, prioritization, and remediation

When deploying applications in containers, developers are now having to take on responsibilities related to operating system level security concerns. Often, these are unfamiliar topics that, in many cases, had previously been handled by operations and security teams. While this new domain can seem daunting there are various tools and practices that you can incorporate into your workflow to make sure you’re catching and fixing any issues before they get into production.

How To: Build and Maintain a DevSecOps Culture

DevSecOps is the process of integrating secure development best practices and methodologies into development and deployment processes. Reliant on the fast development and delivery of agile software, businesses cannot afford to miss a step when it comes to keeping pace with the competition. However, when the next security breach is a matter of ‘when’ not ‘if,’ organizations are also ill-fated if they fail to ensure that their DevOps processes are just as secure as they are speedy.

How Twilio Scaled through Dev-First Security and DevSecOps

As more organizations leverage cloud native technologies such as Kubernetes, IaC, containers and serverless – shifting left and adopting DevSecOps is a must-do. But how does it actually work in practice? Meet Twilio; a billion dollar unicorn that has mastered dev-first security. In this session, you’ll hear from Twilio’s Head of Product Security on how he built and runs an application security program that maintains high velocity outputs.

Integrating security automation in modern application development environments

Automating security has become fundamental to supporting the speed-to-market requirements of modern application development environments. In this video, you will hear from the security teams at Skyscanner and Red Venture on how they are automating application security as part of their application development environments, thus helping their development teams to prioritize and remediate vulnerabilities more effectively.

Backstage integration with the Snyk API

Backstage began life as an internal project at Spotify and was released as an open-source project in 2020. Its original intention was to be a central location where the company had a registry of all software they had in production but has since evolved into a much more advanced platform, including a plugins system that helps users extend the platform. This plugin system is a significant reason for Backstages success and drove adoption within the company.

Automate container security with Dockerfile pull requests

Integration with your source code managers and issuing pull requests to fix issues has been part of Snyk’s success in helping our customers fix application dependencies for several years. Now, we want to help you address container security in a similar way. We’re happy to share that we are extending Snyk Container by helping you automatically fix issues in your Dockerfile to keep an up-to-date base image at all times.

Defining Developer-first Container Security

Have you shifted left, yet? That’s the big trend, isn’t it? It’s meant to signal a movement of security responsibilities, moving from central IT teams over to developers, but that’s trickier than it sounds. Simply taking tools that are intended for use by security experts and making them run earlier in the supply chain does not provide developers with meaningful information.

Solving Java security issues in my Spring MVC application

The Spring MVC framework is a well-known Java framework to build interactive web applications. It implements the Model-View-Controller architecture pattern to separate the different aspects of your application. Separating the different logic elements like representation logic, input logic, and business logic is generally considered good architectural practice.

Docker Hub Authentication: Is 2021 the year you enable 2FA on Docker Hub?

Judging by the reactions I saw in the audience during my past talks on “Securing Containers By Breaking In”, as well as recent reactions on Twitter, not many know about Docker Hub’s fairly recent multi-factor authentication feature. In October 2019, in order to improve the Docker Hub authentication mechanism, Docker rolled out a beta release of two-factor authentication (also known as 2FA).

Snyk Expands Into Asia Pacific Japan

At the beginning of 2021, I noted that Snyk was ready to soar. And soar we have…the rocket ship’s next stop? Asia Pacific and Japan (APJ). I would like to welcome Shaun McLagan, our new Vice President of APJ Sales, and our new partners Temasek, an investment company headquartered in Singapore, and Geodesic Capital, a venture capital firm that specializes in helping technology companies expand into Asia, to the Snyk family.

Fast or Secure? You can only pick two

In this live hack session with our partners Dynatrace and Cprime you see how developers and security teams can work together to integrate vulnerability management into Bitbucket workflows. Snyk's Simon Maple shows how the Snyk and Dynatrace integration delivers 100 percent visibility into risks anywhere in production, including third-party applications that haven't gone through pre-production inspection.

Our Journey to Today

Today we came a step closer towards our ultimate vision – to empower every one of the world’s 27 million developers to develop fast while staying secure. On behalf of the entire extended Snyk family, every current and former employee, partner and customer, I’m humbled to announce that today marks another important milestone in the Snyk journey: the closing of our Series E funding round.

Featured Post

Why cloud native apps need cloud native security

A cloud native approach to infrastructure and application development enables simplification and speed. Many of the traditional tasks involved in managing and deploying server architecture are removed, and high levels of automation deployed, making use of software-driven infrastructure models. Applications can be deployed at scale, be resilient and secure, while also allowing continuous integration technologies to accelerate development and deployment. Cloud approaches are set to dominate the future, most authorities agree: according to Deloitte, for example, global cloud spending will grow seven times faster than overall IT spending until at least 2025.

10 Kubernetes Security Context settings you should understand

Securely running workloads in Kubernetes can be difficult. Many different settings impact security throughout the Kubernetes API, requiring significant knowledge to implement correctly. One of the most powerful tools Kubernetes provides in this area are the securityContext settings that every Pod and Container manifest can leverage. In this cheatsheet, we will take a look at the various securityContext settings, explore what they mean and how you should use them.

Breaking Containers to Improve Security: Docker and Snyk

What does a container exploit look like? What happens when someone breaks into your container? How can Docker and Snyk integration help you fix these problems? This Docker Workshop "Breaking Containers to Improve Security" answers these questions in a live hack demo. Snyk and Docker partner to power image scanning behind Docker Desktop and Docker Hub. Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

Snyk's new vulnerability cards - fix issues fast with a new look and feel

One of our missions at Snyk is a simple one: help developers fix things easily. We further our mission by releasing features and improvements as quickly as possible, but it’s also just as important that developers have an experience which helps them gain as much value from Snyk as possible. This includes being able to quickly understand what needs to be fixed, and making that task incredibly easy.

Snyk Code: An Introduction to Dev-First SAST

Conventional Static Application Security Testing (SAST) tools are limited by lengthy scan times and poor accuracy – returning too many false positives. Sound familiar? That's why Snyk developed a new approach to finding and fixing code vulnerabilities with a developer-friendly experience – introducing: Snyk Code! Watch this live demo of Snyk Code to see how it integrates into Snyk's Cloud Native Application Security platform to help developers build software securely across the entire stack – including the code, open source, containers, Kubernetes, and IaC.

Securing your modern software supply chain

Software supply chain security concerns are more prevalent than ever. The U.S. Pentagon, Department of State, Department of Homeland Security, Microsoft, FireEye – this is just a partial list of the government agencies and companies hacked as a result of the attack on SolarWinds’ proprietary software – the Orion network monitoring program.

SolarWinds Orion Security Breach: A Shift In The Software Supply Chain Paradigm

The recent SolarWinds breach highlights a new paradigm in the Software Supply Chain. When compared simply to the code itself without any additional tools, Proprietary Code is no more secure than Open Source. By contrast, many would argue that Open Source Code is more secure due to a faster fix/patch/update cycle and the pervasive access to source code (Clarke, Dorwin, and Nash, n.d.).