Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Latest News

Using the Snyk Vulnerability database to identify projects for The Big Fix

As developers we all have our morning startup routine: make coffee, check slack/discord/email, read the latest news. One thing I do as part of my daily startup routine is check the Snyk vulnerability database for the latest open source vulnerabilities. It’s been especially interesting to see the types of exploits and vulnerabilities that appear in different ecosystems. For example, since May 2021 I’ve been watching the emergence of vulnerabilities in Tensorflow libraries.

A quarter of critical vulnerabilities exposed during penetration tests are not being remediated by businesses

Today, new research from cyber security specialist Bulletproof found the extent to which businesses are leaving themselves open to cyber attack. The research found that when tested, 28% of businesses had critical vulnerabilities - vulnerabilities that could be immediately exploited by cyber attacks. A quarter of businesses neglected to fix those critical vulnerabilities, even though penetration testing had highlighted them to the business after a retest was completed.

Case study: Python RCE vulnerability in Celery

I conducted research based upon existing Python vulnerabilities and identified a common software pattern between them. By utilizing the power of our in-house static analysis engine, which also drives Snyk Code, our static application security testing (SAST) product, I was able to create custom rules and search across a large dataset of open source code, to identify other projects using the same pattern. This led to the discovery of a stored command injection vulnerability in Celery.

Sysdig and Snyk use runtime intelligence to eliminate vulnerability noise

One of the greatest challenges in cloud environments today is to ensure rapid development cycles while keeping up with security vulnerabilities. Sysdig and Snyk announced today a partnership to deliver integrated code to container runtime security that eliminates up to 95% of vulnerability alert noise, optimizes remediation, and protects runtime. Developers can be fast with security barriers removed, and yet without sacrificing security.

CVE-2021-44521 - Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

JFrog’s Security Research team recently disclosed an RCE (remote code execution) issue in Apache Cassandra, which has been assigned to CVE-2021-44521 (CVSS 8.4). This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.

ICMAD SAP Vulnerability (CVE-2022-22536) - Critical Risk

SAP stands for System Applications and Products in data processing, the market leader in ERP software, helping some of the biggest names in the business. The application tier is often the heart of the entire SAP ERP system, looking after interfacing with other apps, transactions, jobs, reporting and database access.

Highlights from the Ultimate Guide to Client-Side Security

In today’s world, businesses, economies, and lives are connected by a complex spider web of code and software applications. This code and these applications drive e-commerce, financial transactions, and data input. They impact our ability to quickly transfer money from one account to another, to fill out an online mortgage application, and to order supplies from a vendor. The code that drives these systems is complicated. If something can go wrong, it will.

CISA Shields Up: How to prepare for the Russia-Ukraine cybersecurity hazard

CISA issues ‘Shields Up’ alert to warn US companies about potential Russian hacking attempts to disrupt essential services and critical infrastructure as the Russia-Ukraine crisis escalates. Get ahead of the situation with essential information.

OT Vulnerability Management: A Risk-Based Approach

The number of missing security patches in an OT system is typically very large—measured in the thousands, at least. It would be difficult and expensive for an asset owner to evaluate each missing security patch / cyber asset pair. This may be one reason we see a patch everything approach, but this is also difficult and expensive. In fact, assessments show this is rarely done even where required by policy.

Recent Examples of Zero Day Attacks & How to Avoid Them

Zero day attacks consist of almost 80% of all malware attacks. Take a look at some recent attacks and learn how to prevent them. You work hard to secure your business network. Yet determined hackers probe persistently until they find a software vulnerability you don’t know about. They use this previously unknown and unpatched flaw.