With the proliferation of CVEs (Common Vulnerabilities and Exposures), we have witnessed a remarkable surge in associated risks over the past five years. 2022 was a record-breaking year with 25,096 new CVEs found, the most discovered CVEs ever. Unfortunately, 2023 is on track to beat that record.

Here is a list of all new modules recently added from our community of ethical hackers. You can find a complete list of new vulnerabilities added to Surface Monitoring and Application Scanning by viewing the “What’s New?” section in-tool.

Snyk provides a comprehensive approach to developer security by securing critical components of the software supply chain, application security posture management (ASPM), AI-generated code, and more. We recognize the increasing risk of exposed secrets in the cloud, so we’ve tapped Nightfall AI to provide a critical feature for developer security: advanced secrets scanning.

In the world of software development, managing dependencies is a core part of creating strong and secure applications. Spring Boot, a favorite among Java developers, makes building applications easier, but there's more to it than meets the eye. Keeping your dependencies in check is crucial to ensure that your Spring Boot projects run smoothly and remain resilient in the face of ever-evolving threats.

Your developer teams plan to adopt a generative AI coding tool, but you — a security leader — have compliance and security concerns. Most important of which being, what if you can’t keep pace with your developers and something significant slips through the net? Luckily, you can stay secure while developing at the speed of AI with Snyk, the security companion for Amazon CodeWhisperer.

In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is a perpetual challenge for businesses. One recent vulnerability that has sent shockwaves through the corporate world is the MOVEit vulnerability. This flaw, discovered in widely used file transfer software, has had a profound impact on companies across various industries.

AWS offers the infrastructure, innovation, services, and reliability to run your mission-critical applications, which is why millions of customers partner with AWS to build, run, and scale applications in the cloud. But how can customers proactively ensure the security of these critical applications?

Application security posture management (ASPM) enables AppSec teams to continuously monitor, manage, and improve the security health of software applications throughout their lifecycle. It provides a framework for ensuring that applications are built securely from the start, maintained with security in mind, and continuously monitored for vulnerabilities that introduce significant risk to the business. With ASPM, we get aggregated data in a unified dashboard.

Cloud environments comprise hundreds of thousands of individual components, from infrastructure-level containers and hosts to access-level user and cloud accounts. With this level of complexity, continuous and end-to-end visibility into your environment is vital for detecting, prioritizing, and fixing vulnerabilities before attackers can take advantage of them.

Snyk's security researchers have conducted some research to better understand the risks of WebExtensions, both well-known (i.e. XSS, code injection) and those more specific to WebExtensions themselves. From our research we identified and disclosed some vulnerabilities within some popular browser extensions: React Developer Tools and Vue.js devtools. In this post, we will explore the WebExtension technology and look into the vulnerabilities identified.

The importance of email security cannot be understated. Proof of this can be seen in some recent research conducted by the Trustwave SpiderLabs team around our email security product MailMarshal. The team recently ran an experiment on known Zero Day CVE-2023-38831 found in RARLabs WinRAR that is currently being exploited in the wild in WinRAR versions 6.23 and earlier. WinRAR is a compression, archiving, and archive managing software tool.

With an ever-growing number of vulnerabilities being discovered annually, vulnerability management tools are rapidly evolving to handle and prioritize these risks. However, it remains one of the most overwhelming and time-consuming areas in cybersecurity. There’s still significant room for enhancement, especially in reducing false alerts and prioritizing genuine threats.

In our modern world, we constantly share private, confidential, and sensitive information over digital channels. A fundamental component of this communication is file encryption — transforming data into an unreadable format using encryption algorithms.

On November 21st, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released an advisory highlighting the ongoing exploit of the Citrix Bleed Vulnerability (CVE-2023-4966) by Lockbit 3.0 affiliates.

On November 16, 2023, a significant security concern was published by Google's Threat Analysis Group (TAG). They revealed an alarming vulnerability in Zimbra Collaboration, a widely-used email hosting tool for organizations. This vulnerability, designated with an identifier, CVE-2023-37580, is a glaring example of a reflected cross-site scripting (XSS) issue. It allows malicious scripts to be injected into unsuspecting users' browsers through a deceptively simple method: clicking on a harmful link.

The Malware-as-a-Service (MaaS) model, and its readily available scheme, remains to be the preferred method for emerging threat actors to carry out complex and lucrative cyberattacks. Information theft is a significant focus within the realm of MaaS, with a specialization in the acquisition and exfiltration of sensitive information from compromised devices, including login credentials, credit card details, and other valuable information.

Snyk is excited to announce general availability of Snyk Apps, a framework for building and distributing custom security solutions to better inform security decisions and boost developer productivity. As Snyk Apps reaches this milestone, Snyk’s Technology Alliance Partnership Program (TAPP) has more than 70 members today.

Breaches were rampant this week, impacting as many as 15 million individuals. The State of Maine announced that it bled 1.3 million resident records due to the global MOVEit vulnerability. Meanwhile, in Ohio, the City of Huber Heights was targeted by a ransomware attack; potentially, 50,000 residents may have their data exposed. In Michigan, the McLaren Health Care network was allegedly attacked by the ransomware gang BlackCat—losing 2.2 million records to exposure.

Top tips is a weekly column where we highlight what’s trending in the tech world and list ways to explore these trends. This week we’re identifying the risks and vulnerabilities associated with mobile apps and discuss strategies to mitigate them. In our digitally connected world, mobile apps have become an integral part of our daily lives. We depend on them for communication, productivity, entertainment, and much more.

This blog post series offers a gentle introduction to Rego, the policy language from the creators of the Open Policy Agent (OPA) engine. If you’re a beginner and want to get started with writing Rego policy as code, you’re in the right place. In this three-part series, we’ll go over the following: As a reminder, Rego is a declarative query language from the makers of the Open Policy Agent (OPA) framework.

We are thrilled to announce that Snyk, a leading provider of cloud native application security solutions, has achieved the prestigious AWS Security Competency status. The AWS Security Competency validates Snyk's deep security expertise and commitment to delivering a comprehensive application security solution for modern organizations building and running their applications on the Amazon Web Services (AWS).

You have kicked-off your annual application security assessment, but by the time the final report comes in, so have a bunch of new features from your developers. Since your pen test report can’t keep-up with your modern development cycles, it is now (and always) obsolete. You can check-off your compliance checkbox, but you’re not anymore secure than you were before. If this sounds familiar, it is clearly time for an update.

The modern application landscape is rapidly evolving, creating new tools, technologies, and processes that allow organizations to deploy production code faster. But risks to application security have also changed significantly, requiring the security discipline to evolve in order to adapt to new types of attacks.

Most cloud providers use a shared security responsibility model, meaning they secure some areas of the environment but expect the customer to establish security controls in others. AWS is one of the many cloud providers that follow the concept of shared responsibility. Generally speaking, they split responsibility into two categories. AWS focuses on the security of the cloud, such as the infrastructure that runs all AWS services.

In early November, the cybersecurity community witnessed the exploitation of a zero-day vulnerability in Confluence Data Center and Server. This critical vulnerability was related to Improper Authorization and assigned CVE-2023-22518 identifier. In this blog, we delve into the details of these vulnerabilities, their implications, and the necessary mitigation steps to protect your digital assets.

Modern applications are made up of more than first-party code and third-party dependencies. Even a single application links back to a vast ecosystem of cloud environments, containers, third-party base images, and automated container orchestration. Along with the ability to build applications faster, developers also need to secure code and associated dependencies, deployment configuration, and containers running in production.

This blog post series offers a gentle introduction to Rego, the policy language from the creators of the Open Policy Agent (OPA) engine. If you’re a beginner and want to get started with writing Rego policy as code, you’re in the right place. In this three-part series, we’ll go over the following: As a reminder, Rego is a declarative query language from the makers of the Open Policy Agent (OPA) framework.

Philadelphia, PA, November 9, 2023 – Leading cyber risk management and threat intelligence provider Outpost24 today announced the release of Threat Explorer, an advanced vulnerability intelligence and custom alerting tool for continuous threat monitoring.

In this blog post, we will highlight Snyk’s view on the new vulnerability scoring framework, CVSS 4.0, which was released on November 1, 2023.

At CrowdStrike, we’re on a mission to stop breaches. As adversaries weaponize vulnerabilities with increasing speed, organizations must accelerate their ability to identify security gaps and proactively manage their risk exposure before an adversary breaks in.

On October 16, 2023, Kroll Cyber Threat Intelligence (CTI) analysts were made aware of an ongoing exploitation of a recently discovered vulnerability within the web user interface (UI) functionality of Cisco IOS XE (CVE-2023-20198). This security flaw is critical with a CVSS score of 10.

Whether internally developed or purchased, your applications can be exposed to a host of vulnerabilities, especially via open source components that are widely used in today’s software. A recent survey found that 60% of data breach victims were compromised due to a known but unpatched vulnerability. Effective prevention and risk management requires being able to understand the vulnerability risk profile for each component of your Software Supply Chain.

In today's dynamic tech ecosystem, the need to manage AppSec programs at scale is paramount. As codebases expand and threats become more sophisticated, the emphasis is transitioning from addressing singular vulnerabilities to building cohesive security postures throughout all development teams.

Broken access control, the vulnerability category consistently ranking on the OWASP Top 10 Web Application Security Risks list, poses the most significant challenge for application security right now. Over-reliance on automated solutions to tackle these challenges creates a false sense of security and could have severe implications for application owners.

Containers offer a streamlined application deployment and management approach. Thanks to their efficiency and portability, platforms like Docker and Kubernetes have become household names in the tech industry. However, a misconception lurks in the shadows as containers gain popularity - the belief that active vulnerability scanning becomes redundant once containers are implemented.

This blog post series offers a gentle introduction to Rego, the policy language from the creators of the Open Policy Agent (OPA) engine. If you’re a beginner and want to get started with writing Rego policy as code, you’re in the right place. In this three-part series, we’ll go over the following.

On October 30, U.S. President Joseph Biden issued a sweeping Executive Order (“EO”) focused on making AI safer and more accountable.

All secured webservers are alike; each vulnerable webserver running on a network appliance is vulnerable in its own way. On October 16th 2023 Cisco published a security advisory detailing an actively exploited vulnerability (CVE-2023-20198) in its IOS XE operating system with a 10 CVSS score, allowing for unauthenticated privilege escalation and subsequent full administrative access (level 15 in Cisco terminology) to the vulnerable device.