We are very excited to announce that Snyk has achieved AWS Security Competency status, further validating our commitment to security excellence in partnering with AWS!
We’re pleased to announce new functionality within the Snyk Vulnerability Scanner extension for Visual Studio Code, making it easier for developers to find and fix vulnerabilities and license issues in their open source dependencies! To help developers take more responsibility for the security of their applications, security tools must be able to integrate seamlessly into existing workflows and the tools developers are using on a day-to-day basis.
In an increasingly cloud native world, infrastructure as code (IaC) is often the first point of entry into an application. And with technologies such as Kubernetes and Terraform becoming increasingly popular, most app developers will update at least one Kubernetes or Terraform resource at one point in their career.
We’re pleased to announce improved support for.NET applications in Snyk Open Source, allowing developers to fix vulnerabilities in.NET dependencies with the help of actionable advice and automated pull requests! As of the time of writing, NuGet, the Microsoft-supported and de-facto standard package manager for.NET, has 276,266 unique packages, downloaded on average more than a billion times a week!
Earlier this month, a group of researchers at the University of Cambridge published an academic paper, with an accompanying website, on a new type of potential vulnerability that could appear in source code. They called it Trojan Source.
As a developer, I spend a lot of time in my GitHub account. I write apps, little utilities, and proof of concepts for when I am learning something new. I like to think that, because I spend a lot of time on GitHub, the overall health of my account is pretty high.
Many high-growth technology startups are pressured to deliver applications to market ahead of fast-moving competitors. It’s all too easy to allow a “we’ll get to that eventually” mentality to creep in when competing priorities appear to force a tradeoff with development velocity. This introduces unnecessary risks, but they can be mitigated by implementing an effective AppSec program that involves the right tools, processes, and mindset.
From reading many Python Docker container blogs, we’ve found that the majority of posts provide examples of how to containerize a Python application independent of its framework (Django, Flask, Falcon, etc.). For example, you might see something like this: With this Dockerfile, we can build and run a Python Flask application: Two simple steps and it works just fine, right?
There’s never a dull moment at Snyk and for our Channel team that it’s been especially rewarding. We’re very excited to say that this week Snyk Infrastructure as Code (Snyk IaC) was named the winner of the cloud security category for the 2021 CRN Tech Innovator award. The full list of winners, unveiled earlier this week, showcases innovative vendors in the IT channel across 47 different technology categories, in key areas ranging from cloud to storage to networking to security.
Managing application resources at scale can be tricky business. As such, many DevOps and AppSec teams turn to using a declarative framework rather than writing individual scripts to deploy, manage, and maintain access controls for their resources. For Azure environments, Azure Resource Manager (ARM) is this management layer that allows teams to manage their infrastructure as code (IaC) through declarative ARM templates.
If every vulnerability seems to be equally critical, engineers would get overwhelmed and probably waste time on the wrong issues. This is why it’s important for developer security tools to provide clear and simple prioritization functionality. As you’ve likely noticed, Snyk Code provides a Priority Score on the top right corner of the overview panel. When hovering over it, an explanation is shown how the priority score was calculated.
On November 1st, 2021, a public disclosure of a paper titled Trojan Source: Invisible Vulnerabilities described how malicious actors may employ unicode-based bidirectional control characters to slip malicious source code into an otherwise benign codebase. This attack relies on reviewers confusing the obfuscated malicious source code with comments.
When David McCheyne, DevOps Engineer at Datto, outlined a plan to ease the company into developer-first security using Snyk, he thought it would take his teams a year to prove the concept. A seasoned DevOps pro, David understood very well the enormity of this change and was prepared to slowly introduce Datto security champions to the Snyk platform and not force the process.
Elasticsearch is a popular open source search engine. Because of its real-time speeds and robust API, it’s a popular choice among developers that need to add full-text search capabilities in their projects. Aside from being generally popular, it’s also the engine we’re currently moving our Snyk reports functionality for issues! And once we have everything tuned in issues, we’ll start using Elasticsearch in other reporting areas.
Dependency confusion attacks are a form of open source supply chain security attacks in which an attacker exploits how package managers install dependencies. In a prior post, we explored how to detect and prevent dependency confusion attacks on npm to maintain supply chain security. In this article, we will present an extension of the dependency confusion problem utilizing npm’s package aliasing capabilities.
In a previous blog post, we showed how type manipulation (or type confusion) can be used to escape template sandboxes, leading to cross-site scripting (XSS) or code injection vulnerabilities. One of the main goals for this research was to explore (in the JavaScript ecosystem) how and if it is possible to bypass some security fixes or input validations with a type confusion attack (i.e by providing an unexpected input type).
Most container images are built using Dockerfiles which contain combinations of instructions like FROM, RUN, COPY, ENTRYPOINT, etc. to build the layers of an OCI-compliant image. One instruction that is used surprisingly rarely, though, is LABEL. In this post, we’ll dig into labels (“annotations” in the OCI Image Specification) what they are, some standardized uses as well as some practices you can use to enhance your container security posture.
We recently spoke with Amy Berman, Security Strategic Operations Lead at MongoDB about the role of security champions at her organization. For those new to the concept, security champions are developers that have an interest in security and can facilitate collaboration between development and security teams.