Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

May 2023

Snyk announces new Slack integration

We’re excited to announce a new Snyk app for Slack that provides notifications within the channels your teams rely on to address security issues in your code, open source dependencies, containers, and cloud infrastructure. Your developer teams get the notifications that matter the most, in their preferred collaboration platform, so they can act on them immediately.

Top 8 penetration testing tools

Penetration testing is crucial to ensuring a resilient security posture within an organization. It simulates an attack on the system, application, or network to discover vulnerabilities before hackers do. Developers often use penetration testing to verify that applications’ internal resources are safe from unauthorized access. In this situation, the tester or ethical hacker serves as a malicious actor. They gather as much information about the system as possible to find exploitable weaknesses.

Data loss prevention for developers

A security violation in the form of a data breach can create costly damage to a company's reputation. But what exactly is a data breach? The European Commission has divided data breaches into three distinct categories — confidentiality breaches, integrity breaches, and availability breaches: In this article, you'll learn more about what a data breach is and how you can prevent data breaches when designing and developing your software.

Snyk named a Leader in 2023 Gartner Magic Quadrant for Application Security Testing

We’re thrilled to announce that Snyk has been named a Leader in the 2023 Gartner Magic Quadrant for Application Security Testing! Snyk was named in the Magic Quadrant for Application Security Testing (AST), for the first time, as a Visionary in 2021. And today, we’re excited and honored to announce that Gartner has recognized us in the Leaders Quadrant in the 2023 Magic Quadrant report.

How to generate an SBOM for JavaScript and Node.js applications

SBOM is the acronym for Software Bill of Materials, which is a list of all the open source npm packages that are part of your project. But it’s not only limited to open source or software packages, and can include operating system libraries, microservices inventory and more.

Improved risk assessment with EPSS scores in Snyk

The number and complexity of software vulnerabilities is continuously growing. The ability of development and security teams to assess the threat level a given vulnerability poses and prioritize fix efforts accordingly greatly depends on access to as much context as possible about the vulnerability.

Starting With Snyk: an overview of the CLI onboarding flow

When starting with Snyk, users can import projects via Git repository or utilize CLI to run test their application code locally or via CI/CD. In this video, we will discuss the onboarding flows meant to help new users utilize the CLI to run their first source code (SAST), open source (SCA), container and infrastructure as code (IaC) tests and start fixing issues. Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

Setting up the Docker image scan GitHub Action

Nowadays, the final product of most Git repositories is a Docker image, that is then used in a Kubernetes deployment. With security being a hot topic now (and for good reasons), it would be scanning the Docker images you create in the CI is vital. In this piece, I’ll use GitHub Actions to build Docker images and then scan them for security vulnerabilities. The Docker image built in the CI is also pushed to GitHub’s Docker registry.

Snyk top 10 code vulnerabilities report

Earlier this year, we released a report on the top 10 open source vulnerabilities from data based on user scans — giving you an inside look into the most common (and critical) vulnerabilities Snyk users found in their third-party code and dependencies. Building on this trend, we decided to look into the most common vulnerabilities in first-party code. While OWASP served as a guiding light for open source security intel, gathering data on proprietary code was a bit more complex.

Snyk Hierarchy Best Practices - More than Groups and Orgs

What can startups and large enterprises have in common? Different organizational structures that cause friction when bringing in and rolling out a new tool. If you are familiar with Snyk, you’ll know that Groups can hold many organizations, and Organizations contain Projects. But that does not stop there… Each node in the organizational layer has different reporting, access control as well as security and license policy settings.

Snyk and ServiceNow collaborate on new SBOM solution

ServiceNow’s biggest event of the year — Knowledge 2023 — is here, and Snyk is excited to be a part of it with some big news! Back in January, we announced Snyk Security for Application Vulnerability Response to bring Snyk Open Source software composition analysis to ServiceNow Security Operations.

DevSecOps lifecycle coverage with new Snyk and Dynatrace app

Balancing the volume of applications and the increased deployment frequency with the need for security is a struggle for both development and security teams. Recent research indicates that vulnerability management in modern software development has become more complex, with 69% of CISOs acknowledging this challenge. Consequently, many applications are not adequately covered by security scans.

How to prevent XPath injection attacks

Web applications are vulnerable to several kinds of attacks, but they’re particularly susceptible to code injection attacks. One such attack, the XPath Injection, takes advantage of websites that require user-supplied information to access data stored in XML format. All sites that use a database in XML format might be vulnerable to this attack. XPath is a query syntax that websites can use to search their XML data stores.

Snyk named to CNBC 2023 Disruptor 50 List

We are honored and humbled to announce Snyk has been named to the CNBC 2023 Disruptor 50 List, following our debut on the Disruptor List in 2021 and our listing as a Top Startup for the Enterprise in 2022. The full list was unveiled this morning. Industry recognitions like this are a testament to all of the hard work and dedication our global team puts into fulfilling our founding mission each and every day: equipping and empowering every one of the world’s developers to build securely.

AI-generated security fixes in Snyk Code now available

Finding and fixing security issues in your code has its challenges. Chief among them is the important step of actually changing your code to fix the problem. Getting there is a process: sorting through security tickets, deciphering what those security findings mean and where they come from in the source code, and then determining how to fix the problem so you can get back to development. Not to worry — AI will take care of everything, right?

Fixing half a million security vulnerabilities

Hackathons are well known among software development teams for driving innovation and collaboration. So, what if we applied that model to cybersecurity to improve an organization’s application security posture? That would be a dream come true for any CISO and security practitioner — and is exactly what we set out to do at Snyk in February 2023. Check out some of the funniest moments from our panels.

Snyk in a galaxy far away

In honor of May the 4th, we’re featuring a narrative from an Imperial trooper in a faraway galaxy as he reflects on his organization’s worst day and how it could’ve gone differently. Don’t get me wrong. I’m still proud to work for one of the most formidable organizations in the galaxy. But as most of you probably know, we’ve recently hit quite a setback. Our higher-ups decided to build a space station.

Security implications of HTTP response headers

When a web server receives an HTTP request, it is processed and sent back with a response containing the requested resource and any additional information in the form of HTTP response headers. These headers provide important data, such as last-modified dates, content types, and cache-control settings. The browser then uses this information to determine how to display or store that particular resource. This process helps ensure efficient communication between web servers and browsers.

Can AI write secure code?

AI is advancing at a stunning rate, with new tools and use cases are being discovered and announced every week, from writing poems all the way through to securing networks. Researchers aren’t completely sure what new AI models such as GPT-4 are capable of, which has led some big names such as Elon Musk and Steve Wozniak, alongside AI researchers, to call for a halt on training more powerful models for 6 months so focus can shift to developing safety protocols and regulations.