Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Latest News

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

In a recent report by the incident response giant Mandiant, which was purchased by Google in March, their researchers found that 2021 was a record year for the total number of 0-day vulnerabilities disclosed and exploited. According to their findings, their team identified some 80 0-days exploited in the wild. At the same time, Google Project Zero researchers reported the detection and disclosure of 58 0-days.

Safely handling containers

Snyk Ambassadors are passionate about sharing their security expertise. Become one today by signing up! In the shipping industry, the container format follows ISO 668, a standard format that regulates the safe stacking of containers. Imagine your applications with multiple containers, running different applications, serving different purposes for people all over the world.

OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT

It has been 10 years since Project Basecamp, a research project conducted by Digital Bond that investigated how critical operational technology (OT) devices and protocols were, to use the term they coined, “insecure by design.” Since then, we have seen hugely impactful real-world OT malware such as Industroyer, TRITON, Industroyer2 and INCONTROLLER abusing insecure-by-design functionality.

CVE-2021-43702 from Discovery to Patch: ASUS Modem/Router Device Takeover Vulnerability

While studying for my master's degree in cyber security, I co-authored a paper regarding the rollout of IoT devices and the security considerations that businesses need to address to ensure these devices are secure. The paper underscored how a large majority of IoT devices used vulnerable components and did not follow basic secure programming principles.

Announcing the 2022 State of Open Source Security report from Snyk and the Linux Foundation

Open source software is a key component in modern applications. It has created a new era in software development, promoting a free exchange of ideas within the developer community and enabling developers to build more functional software, faster than ever. Based on most estimates, 70-90% of any piece of modern software includes open source code.

Featured Post

How to decide what to fix when you can't fix everything

Contributing to a legacy software development project, as a security-aware developer, is a bit like inheriting an old house. In my old house, the roof is missing tiles, the bathroom taps are dripping, the front door doesn't lock properly, the hallway needs redecorating and there are worrying cracks in the foundations. I don't know where to start. The security problems with the application I've recently (hypothetically) joined are similarly vexing and diverse. It has deprecated dependencies to older versions of software libraries. It could be misconfigured using insecure protocols.

The Importance of White-Box Testing: A Dive into CVE-2022-21662

I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities. To help in this endeavor, I will use a real-world example to demonstrate how researchers (in this case Karim El Ouerghemmi and Simon Scannell) *may* have found a vulnerability in WordPress (CVE-2022-21662 a 2nd order stored XSS) and how you, as a security researcher, can also use a white-box approach to find an exotic XSS vulnerability.

The Most Commonly Mixed-Up Security Terms: Learn the Differences Between Asset, Threat, Vulnerability, and Risk

The cybersecurity landscape is complex enough without the lack of a common vocabulary. But, often, organizations use common security terms incorrectly or interchangeably. This leads to confusion, which leads to frustration, which can lead to something much, much worse. Something like a breach. Let’s take a moment, then, to review the four most commonly mixed-up and misused security terms in the cybersecurity world.

CVE-2022-30190 - Updated Guidance for MSDT Remote Code Execution Zero-Day Vulnerability in Windows

On Friday, May 27, Security vendor nao_sec identified a malicious document leveraging a zero-day RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT). The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word.