Containerization with Docker has become a major trend in web application development that many.NET developers have adopted. There are many compelling advantages for developers and DevOps engineers to containerize.NET applications, even when working with the older.NET Framework 4.x versions. However, if we don’t know how to use containers properly, we’ll experience little benefit from them.

When scanning an image you probably want to scan for both operating system vulnerabilities and vulnerabilities in the application dependencies (like npm, pom.xml, package.json etc), in order to get a full picture of the security issues within your images. Until now, when using the Snyk Container test/monitor commands to scan images you had to specify the --app-vulns flag in order to scan for application vulnerabilities.

Reddit is a good place to stay in the loop when it comes to web development news, and if you’re like me, you probably follow subreddits like r/node or r/javascript. I recently found a great way to build a Zapier Reddit integration with just my JavaScript knowledge — so I can share those trending Reddit posts in my team’s channel. In this article you’ll learn.

The principle of least privilege (PoLP) is a defensive strategy in the software development world. Alternatively called the principle of minimal privilege or the principle of least authority, PoLP ensures that users can only access the systems, processes, networks, and files required to complete their assigned tasks. When properly configured, unauthorized users can’t navigate to restricted application functions or switch roles.

Containers are a standardized software packaging format that provides a predictable, replicable way to run applications. Container isolation is one of the primary benefits of containerized applications. Using containers enables us to isolate our software from its environment, increasing consistency and reliability across our development and staging environments. You’re probably familiar with — or are using — Docker containers.

Creating Java applications is great, and many resources are available. To speed up development, many folks use frameworks and libraries that do some of the heavy lifting. When looking at modern Java applications, almost all of them contain dependencies from libraries developed by someone else. Dependencies take up about 80 to 90 percent of the binary — so, we should take good care of them when creating a Java project.

A Google remote procedure call (gRPC) is Google’s open source version of the remote procedure call (RPC) framework. It’s a communication protocol leveraging HTTP/2 and protocol buffer (protobuf) technologies. gRPC enables a remote client or server to communicate with another server by simply calling the receiving server’s function as if it were local. This makes communicating and transferring large data sets between client and server much easier in distributed systems.

Today we’re announcing a new container security cheat sheet and report — created in collaboration with our partner Sysdig. Download cheatsheet In this post, we’ll outline tips to help you successfully navigate the challenges of container security with a focus on three core principles: Traditional security approaches are incapable of handling the distributed and ephemeral nature of containers.

Distributed containerized systems compose applications, resources, services, databases, and other artifacts. These components often need sensitive information such as user keys, passwords, API keys, and certificates to function properly. Secrets management is critical for adequately handling sensitive information and Kubernetes deployments often utilize their built-in Secrets resource type and associated RBAC controls but what if you aren’t deploying on Kubernetes?

One of the main goals for this research was to explore how it is possible to execute arbitrary commands even when using a safe API that prevents command injection. The focus will be on Version Control System (VCS) tools like git and hg (mercurial), that, among some of their options, allow the execution of arbitrary commands (under some circumstances). The targets for this research are web applications and library projects (written in any programming language) that call these commands using a safe API.

Drupal is a popular content management system (CMS) that leading corporations and government agencies use for mission-critical applications. With a supportive community of developers, robust security, multilingual support, compliance with WCAG guidelines, and ease of integration, Drupal is a go-to CMS.

Open source libraries and frameworks are a great way to jump-start development projects. Open source empowers developers to do some great things without reinventing the wheel and developing solutions for problems that have already been solved. However, adding any code to a project carries an inherent risk of introducing potential vulnerabilities that may have made their way into it through error or malice.

There are many ways to find bugs in Python code: the built-in debugger (pdb), a healthy amount of unit tests, a debugger in an IDE like Pycharm or Visual Studio, try/catch statements, if/else statements, assert statements, or the tried and true practice of covering every inch of your codebase in print() statements like it’s going out of style. Assert statements can help us catch bugs quickly and are far less intrusive than copious amounts of print statements.

In this post, we’ll look at the security blindspots of lockfile injection that a Ruby gem might expose via its Gemfile.lock. As a prelude to that, we will open up with a brief introduction to Ruby and third-party dependencies management around RubyGems and Bundler. Web developers often work on Ruby projects, but are mostly referring to them as the popular open source web application framework Ruby on Rails.

Snyk security researchers continually monitor open source ecosystems for malicious packages, utilizing static analysis techniques to identify and flag suspicious packages. Each malicious package is identified upon publication to the package manager and swiftly added to the Snyk Vulnerability Database. During recent research, the team found 12 unique pieces of malware belonging to the same actor.

C++ offers many powerful capabilities to developers, which is why it’s used in many industries and many core systems. But unlike some higher-level languages that offer less direct control over resources, C++ has a variety of security concerns that developers must be keenly aware of when writing code to avoid introducing vulnerabilities into projects. As developers, we build applications with our end-users in mind. They trust us with their data, time, and device access.

Kubernetes provides an interface to run distributed systems smoothly. It takes care of scaling and failover for your applications, provides deployment patterns, and more. Regarding security, it’s the teams deploying workloads onto the Kubernetes cluster that have to consider which workloads they want to monitor for their application security requirements.

Snyk has officially launched Snyk Training, a free online resource to help developers and security teams learn how to implement, configure, and use Snyk on their own. The initial content in Snyk Training focuses on three learning needs: The platform is an easy way for teams to get an introduction to Snyk tools and user best practices. Most courses take between 3 and 10 minutes, and have been described by a customer as, a “very good overview on how to get started with the Snyk journey!”

Creating and running an application in your favorite language is usually pretty simple. After you create your application, deploying it and showing it to the world is also quite straightforward. The last thing you need is someone to take over your system and fully control your brand new application. In this article, I’ll explain how this can happen with a reverse shell attack. Note that the code examples in this article are for educational purposes only.

One of the things I’ve grown accustomed to as a developer is fiddling around with new languages or frameworks I find interesting. So naturally, working with our partners to launch Snyk Apps is right in my wheelhouse. At work and on my own time, I enjoy trying to build something that others might find interesting or useful. As a Jira user myself, I decided to take a look at Atlassian’s Forge platform and see what I could do with it.

On behalf of the entire Snyk community, I am excited to share that Forbes has named Snyk to the Forbes Cloud 100 list for the third consecutive year, coming in at #20 — which is 19 spots higher than last year! The full list was unveiled this morning.

If you’re looking to catch up on what happened at this years AWS re:Inforce, this is the blog for you. There were many important announcements were this year, including some exciting updates on the cloud security front. In this post, we’ll quickly review the goals of the conference and who should attend, before diving into the keynote highlights, software updates, and helpful resources.

According to Wappalyzer, PHP powers over twelve million websites. Not bad for a 28-year-old language! Despite its age, PHP has kept up with modern development practices. With support for type declarations and excellent frameworks like Laravel and Symfony, PHP is still a great way to develop web apps. PHP works well in containerized environments. With an official image available on Docker Hub, developers know they can access well-tested PHP container images to build on.

Ruby, much like other programming languages, has an entire ecosystem of third-party open source libraries which it refers to as gems, or sometimes Ruby gems. These gems are authored by the community, and are available from RubyGems.org which is the official registry for Ruby libraries. Similarly to other open source ecosystems, threat actors may publish deliberate malicious code or such which includes backdoors or credentials harvesting.

Terraform is an infrastructure as code (IaC) solution that enables DevOps teams to use coding concepts to automatically deploy on-premise or public cloud infrastructure components. These components may include virtual machines, network components, storage, applications, or database services. Terraform provides HashiCorp Language (HCL).