CVSS or Common Vulnerability Scoring System is a framework that numerically characterizes the severity of software vulnerabilities between the range of 0-10. CVSS scores help infosec organizations with vulnerability management and prioritization of vulnerabilities for efficient remediation.

A vulnerability report is a document provided by security testers after the assessment of a target’s security. It contains a detailed analysis of the vulnerabilities uncovered along with the test cases run during the assessment. The report also provides possible remedial steps.

Vulnerability scanning and penetration testing should be an essential part of your cybersecurity strategy. This blog discusses the above methods in the context of securing your web applications, including the benefits, drawbacks, and compliance implications. Table of contents: What is a vulnerability scan? What is a penetration test? What are the drawbacks of the traditional pen test model? Should I only to pen tests, vulnerability scans, or both?

This supply chain series centers on the lessons learned from OpenSSL and what you need to consider when enhancing your supply chain security. While this series will focus on OpenSSL and relevant libraries, we'll also consider vulnerabilities across the board. In the first installment, we covered everything you need to know about where to look for vulnerable libraries.

Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.

Today, security and development teams are drowning in vulnerabilities. Most security tools identify issues, but don’t provide reliable prioritization or simplify remediation. To help solve these challenges, Sysdig runtime vulnerability management – part of Sysdig’s Cloud Native Application Protection Platform (CNAPP) – provides a runtime image scanner coupled with an eBPF probe to analyze container behavior and identify the vulnerable packages that are in use at runtime.

Java is a powerful backend programming language that can also be used to write HTML pages for web applications. However, developers must know the potential security risks associated with Cross-Site Scripting (XSS) attacks when creating these pages. With the rise of modern templating frameworks, preventing security attacks through proper input validation and encoding techniques has become easier.

Earlier today, April 25, 2023, researchers Pedro Umbelino at Bitsight and Marco Lux at Curesec published their discovery of CVE-2023-29552, a new DDoS reflection/amplification attack vector leveraging the SLP protocol. If you are a Cloudflare customer, your services are already protected from this new attack vector.

By default, the WordPress administrative login page displays a helpful error message whenever an account user types in the wrong username/email address or password. Unfortunately, these same helpful error messages can also be abused to assist a threat actor to validate account usernames/email addresses and/or passwords. An incorrect username/password guess combination generates the following error message: “The username ‘name-entered’ is not registered on this site”.

After COVID, enterprise IT security got turned on its head. As the world adjusted to working from home, and continues to, IT teams worked overtime to enable remote access for millions of employees. This transition has gone smoothly for most organizations, but many security gaps still remain years later. The SolarWinds data breach is a worrying example. It shows how vulnerable organizations are to malicious activity in our changing risk environment.

Since the inception of the internet and the World Wide Web (WWW), HTML has been a fundamental part of digital communication, enabling document exchange services between various devices on the network. Developed by Tim Berners-Lee, the father of the WWW, in 1993, the markup language is still used to display documents on web browsers today.

Implementing adequate software supply chain security is a challenging feat in 2023. Attackers are becoming more sophisticated, and the growing complexity of modern applications makes them difficult to defend. We’re talking microservices, multi-cloud environments, and complex workflows — all moving at the speed of business. To address these challenges, the Snyk team organized two roundtable discussions, one held in North America and the other in EMEA.

When a major security event like SolarWinds or Log4j happens, how do you assess the impact across your third-party supply chain? Most organizations struggle to effectively react to zero day attacks and other critical vulnerabilities at scale, often following manual and cumbersome workflows. But our latest capability is here to change that.

It's early in the morning on an unseasonably warm Tuesday in October. You're checking your email as you enjoy your first cup of coffee or tea for the day, and you almost do a spit-take when you read that OpenSSL has a forthcoming release to fix a CRITICAL vulnerability. Immediately, visions of Heartbleed pop into your head.

Towards the end of 2020, a new vulnerability in MongoDB was found and published. The vulnerability affected almost all versions of MongoDB, up to v4.5.0, but was discussed and patched appropriately. The vulnerability, CVE-2020-7928, abuses a well-known component of MongoDB, known as the Handler, to carry out buffer overflow attacks by way of null-byte injections.

Electrical grid security has been getting a lot of attention recently. It started fairly quietly, and then when it was a featured story on a news program, it rose to the top of the collective consciousness. However, the news stories that followed were focused entirely on the physical vulnerabilities of the US power grids. Few, if any stories covered the cybersecurity angle of securing the grids.

Serialization is the process of converting a JavaScript object into a stream of sequential bytes to send over a network or save to a database. Serialization changes the original data format while preserving its state and properties, so we can recreate it as needed. With serialization, we can write complex data to files, databases, and inter-process memory — and send that complex data between components and over networks.

Open source libraries have become an indispensable part of modern applications. Approximately 90 percent of organizations use open source software to support their services, but monitoring these dependencies can be difficult when environments run thousands of ephemeral services.

Commonly referred to as Zerologon, CVE-2020-1472 is the Common Vulnerabilities and Exposures (CVE) identifier assigned to a vulnerability in Microsoft’s Netlogon Remote Protocol (MS-NRPC). MS-NRPC is essential for authentication of both user and machine accounts in Active Directory.

Vulnerability management refers to continuously identifying, reporting, and remediating security risks within the cyber assets from networks to cloud platforms. It becomes vital that good cyber security measures with an extensive vulnerability management system be placed to ensure data and application safety.

The HIPAA Security Rule requires healthcare organizations to perform regular security risk assessments to protect e-PHI. Penetration testing can help organizations with this requirement.

Security testing is increasingly viewed as an essential part of the software development lifecycle (SDLC). Traditionally, agile software development has focused on development velocity, rapid market feedback, and delivering high quality products and services. However, software that's vulnerable to cyber attacks is not valuable to end users and creates huge risks for both customers and software vendors. This makes it critical to integrate security testing into the software development process.

Leading cybersecurity experts Major General John F. Wharton, (US Army ret); Oleg Strizhak, Shell’s Digital Supply Chain Risk Manager; and Sam Curry, the CISO of Zscaler, recently sat down with SecurityScorecard’s President of International Operations Matthew McKenna to discuss how organizations can prepare themselves and their supply chains for zero-day attacks as well as best practices for supply chain risk management.

A little bit of background for those not familiar with chfn… “chfn (change finger) is used to change your finger information. This information is stored in the /etc/passwd file and is displayed by the finger program.

Platform engineers need to be empowered in an organization’s security program. Their work has huge leverage over a product's security posture, arguably as great an impact (some would even say greater) than application vulnerabilities. Despite the significance of the impact of their work, their role in security programs remain ill-defined.

As technology continues to advance, the potential for hacking and cyber-attacks on various devices and systems has become a major threat. This has extended to the automotive industry, with increasing numbers of car hacks being reported. With the rise in the production of electric vehicles (EVs), these attacks have escalated in frequency and severity.

What does secure by design vulnerability mean? Is this an oxymoron?

The Docker developer ecosystem is continuously growing, and container security is becoming even more important as the Docker developer ecosystem evolves. The developer-friendly Snyk security integration with Docker is invaluable in today’s landscape. Snyk has made significant updates to the Docker Desktop Extension and continues to evolve the extension to ensure the applications and images pushed to the container registry don't have critical vulnerabilities.

Digital transformation initiatives have pushed software development to the next level. Today's consumers demand an optimum customer experience and expect modern apps to live up to high expectations. So, the average developer in 2023 must keep up with faster delivery, more eye-catching features, and better functionality. This unprecedented growth in the software development industry has led to a massive disparity between development and security teams.

Last week, on March 31st, NetSPI researchers announced that they found a cross-tenant Azure vulnerability in the Microsoft Power Platform connectors infrastructure, which allowed them to then access “at least 1,300 secrets/certificates in 180+ vaults”. In this article, we set out to analyze the root cause behind this vulnerability, explain its impact, and provide our own recommendations for Power Platform users and administrators.

The transition to hybrid IT architectures and remote work strategies has greatly expanded the IT estates of most organizations in recent years. Couple this expansion with the growing number of computing and IoT devices that connect to company networks today and you understand why cybersecurity is a growing challenge: As your IT footprint grows, so does your attack surface.

How hard can it be to support custom container image tags? Turns out… quite! I know this because my team has been busy at work on our new custom base image support for Snyk Container, andwe were tasked with the following problem: Given a tag, parse its parts to be able to compare it to other similar tags. It was a fun problem to solve, and we'd love to share how we got to our final solution!

In light of recent password manager breaches, our experts have provided tips on how to protect your organization from compromised credentials. In recent weeks, cybersecurity has once again been thrust into the spotlight with the news that both LastPass and Norton LifeLock, two popular password management services, have been targeted in cyberattacks, resulting in the compromise of customer password manager accounts.

In this blog post, the KrakenLabs team will take a deep dive into a malware sample classified as LummaC2, an information stealer written in C language that has been sold in underground forums since December 2022. We assess LummaC2’s primary workflow, its different obfuscation techniques (like Windows API hashing and encoded strings) and how to overcome them to effectively analyze the malware with ease.

There are never enough hours in the day to do everything. I think we all have a to-do list that is at least twice as long as the time available to complete it. To cope, we prioritize what’s “on fire” or what has the most potential to immediately cause damage if it’s not taken care of. Often the things we “should” focus on fall to the wayside as they are outshined by what we must do immediately.

In July 2022, we announced Snyk Cloud, extending the Snyk developer security platform to secure application and infrastructure configurations in running cloud environments. Today, we’re thrilled to introduce a new feature of Snyk Cloud that enables you to "fix cloud issues in IaC" (infrastructure as code), making Snyk Cloud the first solution to secure the cloud through code with remediation paths in IaC.

As a leader in applying AI to developer security, Snyk’s approach is unique. Today, we want to provide a glimpse at how Snyk currently uses AI and data science, as well as a sneak peek at what’s to come. Before diving in, we want to highlight two aspects of Snyk’s use of AI to set the stage.

If your application development environment is like most, you’re using more code and you’ve accelerated the development of applications and software. That’s great for productivity, but it presents a big challenge for security, as your developers come under increasing pressure to ship code quickly — while also ensuring that their code is secure. They need to find a sweet spot between speed and security, and scanning at the repository level is the way to go. Here’s why.

In today’s ever changing cyber risk landscape, your organization must adopt a vulnerability management framework to control exposure and remediate risks in a timely manner. In an earlier blog, we explained the vulnerability management process. Here, we explore a key part of that process – vulnerability monitoring – in greater depth.

This month, we hosted our most recent SnykLaunch to announce the latest and greatest in Snyk solutions. As with all of our releases, we continue to focus on adapting security to what we see in modern-day development practices. Compared to only a few years ago, more independent development teams are working faster, along with a far more complex software supply chain, including cloud as part of the code. Because development practices look so different today, security teams often struggle to keep up.

Snyk is known for its developer-first application security solutions for many ecosystems like Java, JavaScript, Python, and more. Snyk enables developers to not only find issues but quickly apply fixes, revolutionizing security and supporting its integration at the earliest stages of the SDLC. In 2022, we released the first round of support for C/C++ open source packages, and today we’re excited to announce the Open Beta of C/C++ for Snyk Code and licenses for Snyk Open Source.

We are thrilled to announce that Snyk has achieved Red Hat Vulnerability Scanner Certification, making it one of the few security platforms to receive this certification from Red Hat. This achievement demonstrates Snyk’s ongoing commitment to providing our customers with the highest level of security assurance for their applications.

Snyk recently hosted a half-day virtual event focused on security for application workloads running on AWS (you can catch it on demand here). The event was broken into six sessions spanning topics like developer challenges in cloud-native AppDev, top vulnerabilities from last year, hands-on workshops with industry-leading technology vendors, and several other subjects that help enable engineering and security teams to build a successful DevSecOps workflow.

Recent research from penetration testing company NetSPI found that Azure on-premises data gateways allow Power Platform and Power BI to access customer resources and databases. Threat researchers found that these gateways can communicate with Power Platform through an Azure service called Azure Relay (previously known as Azure Service Bus).

Supply chain attacks are one of the top concerns for any organization as they exploit (no pun intended) the inherited trust between organizations. Recent examples of similar attacks include SolarWinds and Kaseya. On March 29th, a new supply chain attack was identified targeting 3CX, a VoIP IPXS developer, with North Korean nation-state actors as the likely perpetrators.

At Snyk, we think of developers as citizens of a special community. In that community, your collection of apps is your neighborhood — and your code is your home base; your house. How do you secure a house? With a lock! And how do you make sure no one else can unlock that lock? You keep the key! That’s security ideation at its finest: keys. Just ask Vinz Clortho, Keymaster of Gozer.