Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

November 2021

Automating Container Runtime Security Scanning with Snyk

So you’re running microservices in containers? Congratulations! This is an important step towards meeting those business needs around delivering applications to the hands of your customers as soon as possible. But how can we mitigate any potential risks associated with faster software deployment while running on Kubernetes? Simple, with Snyk’s Kubernetes integration we can identify vulnerabilities in their associated images and configurations that might make those workloads less secure. Watch this video to find out how!

Java Security Tip: Sanitize user input

Java Security Quick Tip: Always santize user input before you display it in your web app. Displaying user input wideout proper validation or sanitization can lead to cross-site scripting security issues. With the OWASP Encoder library, you can escape scripts and be positive that they will not be executed in the users' browser. In this video I will answer the following questions Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for Java and many other languages.

Securing your open source dependencies with the Snyk Visual Studio Code extension

We’re pleased to announce new functionality within the Snyk Vulnerability Scanner extension for Visual Studio Code, making it easier for developers to find and fix vulnerabilities and license issues in their open source dependencies! To help developers take more responsibility for the security of their applications, security tools must be able to integrate seamlessly into existing workflows and the tools developers are using on a day-to-day basis.

Announcing automated fixes for vulnerabilities in .NET dependencies

We’re pleased to announce improved support for.NET applications in Snyk Open Source, allowing developers to fix vulnerabilities in.NET dependencies with the help of actionable advice and automated pull requests! As of the time of writing, NuGet, the Microsoft-supported and de-facto standard package manager for.NET, has 276,266 unique packages, downloaded on average more than a billion times a week!

Proactively fixing vulnerabilities to maintain Java security and project hygiene with Snyk

As a developer, I spend a lot of time in my GitHub account. I write apps, little utilities, and proof of concepts for when I am learning something new. I like to think that, because I spend a lot of time on GitHub, the overall health of my account is pretty high.

AppSec during hypergrowth: Empower your developers to overcome the tech talent shortage

Many high-growth technology startups are pressured to deliver applications to market ahead of fast-moving competitors. It’s all too easy to allow a “we’ll get to that eventually” mentality to creep in when competing priorities appear to force a tradeoff with development velocity. This introduces unnecessary risks, but they can be mitigated by implementing an effective AppSec program that involves the right tools, processes, and mindset.

Best practices for containerizing Python applications with Docker

From reading many Python Docker container blogs, we’ve found that the majority of posts provide examples of how to containerize a Python application independent of its framework (Django, Flask, Falcon, etc.). For example, you might see something like this: With this Dockerfile, we can build and run a Python Flask application: Two simple steps and it works just fine, right?

Snyk IaC wins 2021 CRN Tech Innovator Award & continues to grow channel business

There’s never a dull moment at Snyk and for our Channel team that it’s been especially rewarding. We’re very excited to say that this week Snyk Infrastructure as Code (Snyk IaC) was named the winner of the cloud security category for the 2021 CRN Tech Innovator award. The full list of winners, unveiled earlier this week, showcases innovative vendors in the IT channel across 47 different technology categories, in key areas ranging from cloud to storage to networking to security.

Scanning ARM templates for misconfigurations with the Snyk CLI

Managing application resources at scale can be tricky business. As such, many DevOps and AppSec teams turn to using a declarative framework rather than writing individual scripts to deploy, manage, and maintain access controls for their resources. For Azure environments, Azure Resource Manager (ARM) is this management layer that allows teams to manage their infrastructure as code (IaC) through declarative ARM templates.

How Snyk Code prioritizes vulnerabilities using their Priority Score

If every vulnerability seems to be equally critical, engineers would get overwhelmed and probably waste time on the wrong issues. This is why it’s important for developer security tools to provide clear and simple prioritization functionality. As you’ve likely noticed, Snyk Code provides a Priority Score on the top right corner of the overview panel. When hovering over it, an explanation is shown how the priority score was calculated.

How to effectively detect and mitigate Trojan Source attacks in JavaScript codebases with ESLint

On November 1st, 2021, a public disclosure of a paper titled Trojan Source: Invisible Vulnerabilities described how malicious actors may employ unicode-based bidirectional control characters to slip malicious source code into an otherwise benign codebase. This attack relies on reviewers confusing the obfuscated malicious source code with comments.

How Datto made developer-first security a reality with Snyk

When David McCheyne, DevOps Engineer at Datto, outlined a plan to ease the company into developer-first security using Snyk, he thought it would take his teams a year to prove the concept. A seasoned DevOps pro, David understood very well the enormity of this change and was prepared to slowly introduce Datto security champions to the Snyk platform and not force the process.

Lessons learned from improving full-text search at Snyk with Elasticsearch

Elasticsearch is a popular open source search engine. Because of its real-time speeds and robust API, it’s a popular choice among developers that need to add full-text search capabilities in their projects. Aside from being generally popular, it’s also the engine we’re currently moving our Snyk reports functionality for issues! And once we have everything tuned in issues, we’ll start using Elasticsearch in other reporting areas.

Exploring extensions of dependency confusion attacks via npm package aliasing

Dependency confusion attacks are a form of open source supply chain security attacks in which an attacker exploits how package managers install dependencies. In a prior post, we explored how to detect and prevent dependency confusion attacks on npm to maintain supply chain security. In this article, we will present an extension of the dependency confusion problem utilizing npm’s package aliasing capabilities.

JavaScript type confusion: Bypassed input validation (and how to remediate)

In a previous blog post, we showed how type manipulation (or type confusion) can be used to escape template sandboxes, leading to cross-site scripting (XSS) or code injection vulnerabilities. One of the main goals for this research was to explore (in the JavaScript ecosystem) how and if it is possible to bypass some security fixes or input validations with a type confusion attack (i.e by providing an unexpected input type).

How and when to use Docker labels / OCI container annotations

Most container images are built using Dockerfiles which contain combinations of instructions like FROM, RUN, COPY, ENTRYPOINT, etc. to build the layers of an OCI-compliant image. One instruction that is used surprisingly rarely, though, is LABEL. In this post, we’ll dig into labels (“annotations” in the OCI Image Specification) what they are, some standardized uses as well as some practices you can use to enhance your container security posture.

How MongoDB built a successful security champions program

We recently spoke with Amy Berman, Security Strategic Operations Lead at MongoDB about the role of security champions at her organization. For those new to the concept, security champions are developers that have an interest in security and can facilitate collaboration between development and security teams.

Secure your infrastructure from code to cloud

Infrastructure as Code enables you to take ownership of your cloud environments and define what your application needs in a programmatic way. It's appealing because it’s code; you can version it, you can automate testing it using pipelines and you can deploy it frequently on your own. However there is a catch. With this level of autonomy comes increased responsibility and the implicit requirement to have the relevant knowledge needed in order to design and configure secure infrastructure.

Haunted: Chrome's vision for post-Spectre web development

Ahh, the web, an open platform where sites can communicate with each other, embed third-party content to unlock powerful features, make requests to arbitrary endpoints of other web applications... Well. Isolation was never a thing on the web, and this creates a number of security issues⏤but Spectre took this to the next level.

Enterprise Application Risk Profiling

I will discuss digital transformation in the enterprise, how it impacts cloud native applications developed using agile methodologies and as a result, an oscillating application risk rating, which then triggers prioritized security-related activities by application security engineers.. Key topics will include: Creating a baseline application risk profile Dynamic characteristics of application risk factors Significant changes that trigger security reviews