Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

March 2023

Data leak in the Netherlands: What developers should learn from this

Currently, there are a series of data leaks going on in the Netherlands. Blauw, a prominent market research firm in the Netherlands, reported a data leak earlier this week. Blauw offers qualitative market research for companies and events, and works with many big Dutch brands. The current leak of customer data has already resulted in personal data exposure for a substantial number of Dutch consumers.

AWS in 30 recap

Last month, Lead Partner Solutions Architect, David Schott, presented a demo on how Snyk works alongside Amazon Web Services (AWS) to identify vulnerabilities at every level of development and infrastructure. David covered why agile development in the cloud requires a different security approach than simply using the IT security methods of the past. Then, he showed a real-time example of how Snyk’s AWS cloud security tools can find and mitigate common vulnerabilities.

Avoiding mass assignment vulnerabilities in Node.js

Mass assignment is a vulnerability that allows attackers to exploit predictable record patterns and invoke illegal actions. Mass assignment usually occurs when properties are not filtered when binding client-provided data-to-data models. Vulnerabilities of this type allow an attacker to create additional objects in POST request payloads, allowing them to modify properties that should be immutable.

Securing the web (forward)

We have grown to expect a reasonable level of privacy and security when we use services on the web and web-based applications. That’s because these services deal with every aspect of our daily lives — from money and finances, to how we interact with government services, to our education or the education of our children, to communicating with friends and family, to healthcare, to simply buying food to eat.

Out of This World Cybersecurity

From cybersecurity Executive Orders, to Emergency Directives, to establishing a presence on the moon, cybersecurity at NASA encompasses a wide variety of both Information and Operational Technology assets, some of which are literally out of this world. Attendees will gain insights into the challenges and best practices in securing critical assets in highly dynamic and complex environments.

Dev First Prevention Strategies Using the CI/CD

Watch this office hours where we cover best practices for introducing a blocking/prevention strategy using the CI/CD Integration. Security and engineering teams often fail to find a balance between meeting the necessary security objectives for their organization and ensuring maximum velocity. While security teams view the process of blocking new critical severity vulnerabilities as a basic security best practice, engineering teams often push back out of fear that it will create too much friction for their developers.

PulseMeter Report: Software supply chains

The not-so-distant memories of security events like Log4Shell and the SolarWinds attack keep software supply chain attacks front of mind for developers. There are things organizations can do to detect and deter malicious supply chain attacks, including the recently mandated (as per the U.S. federal government) software bill of materials (SBOM).

Securing the digital future: Reviewing the Biden-Harris administration's National Cybersecurity Strategy

On March 2nd, 2023, the Biden-Harris Administration released a fact sheet announcing the National Cybersecurity Strategy, which outlines their vision for securing the nation's digital infrastructure and ensuring the safety of American citizens online. This strategy addresses the growing number of cyber threats facing the United States, including ransomware attacks, supply chain vulnerabilities, and state-sponsored hacking.

The Docker project turns 10! Looking back at a decade of containers

March 15, 2023 marked the 10-year anniversary of Solomon Hyke's famous PyCon lightning talk, when he introduced the world to Docker. Let’s look back at how much has changed and hear from some folks who have stories about blazing the trail toward the containerized world we live in today.

New language-specific Snyk Top 10 for open source vulnerabilities

Developers use open source code because it facilitates fast development. In fact, the vast majority of code in modern applications is open source. But just like any other code, open source libraries are open to vulnerabilities that can negatively affect a wide range of end-user products. So with widespread usage of open source, it's important for teams to be aware of the risks that can be hidden in the libraries they use.

AWS top 10 misconfigurations and how to fix them: A cheat sheet

Amazon Web Services (AWS) remains the dominant cloud provider, with 40.8% of the market share. Many enterprises and organizations today have some, if not most, of their infrastructure on Amazon Web Services. AWS helps organizations accelerate their digital transformations and innovate faster, but there are common misconfigurations when moving to AWS.

Preventing XSS in Django

Cross-Site Scripting (XSS) is a type of vulnerability that involves manipulating user interaction with a web application to compromise a user's browser environment. These vulnerabilities can affect many web apps, including those built with modern frameworks such as Django. Since XSS attacks are so prevalent, it's essential to safeguard your applications against them. This guide discusses how XSS vulnerabilities originate in Django apps and what you can do to mitigate them.

CISO playbook: 3 things to consider when establishing a security culture

Establishing a thriving security culture across your organization will rely heavily on your developer teams. Therefore, engaging with developers early and often while you build your security program is vital. In this playbook for Chief Information Security Officers (CISOs), we explore how to build a security culture across your organization by considering the following three things.

Cultivating Developer Adoption

Many organizations are encouraging their developer teams to adopt a security mindset and take more ownership on security issues earlier in the development process. But how can that actually be achieved effectively and what a successful program looks like in practice? In this recording, we’ll discuss some of the program lessons we’ve learnt from many enterprises that are going through this process and investigate different methodologies for implementing DevSecOps and will share what are best practices to follow and common pitfalls to avoid.

Comparing Node.js web frameworks: Which is most secure?

JavaScript is the world’s most popular programming language, providing many web frameworks that help developers build secure, reliable Node.js web applications. Each framework has unique features, and which framework is right for you depends on your preference and the type of application you intend to create. With so many frameworks available, you need a way to assess their security.

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.

Snyk Workflows - Builds & Branching

Snyk integrates with your IDEs, repos, workflows, and automation pipelines to add security expertise to your toolkit. The “menu” of options available to you is extensive, so we created this three-part series to get you started and running. What about when you need to compare different versions of code? This third session of the series covers the more advanced topic of builds and branching and more.

Mitigating path traversal vulns in Java with Snyk Code

Path traversal is a type of security vulnerability that can occur when a web application or service allows an attacker to access server files or directories that are outside the intended directory structure. This can lead to the unauthorized reading or modification of sensitive data.

Snyk in 30: Developer-first security democast

In our latest Snyk in 30 democast, I demonstrated working on an app, starting in an IDE and going all the way to the live app deployed in the cloud. Along the way, I showed how Snyk fits into the tools a real developer might use. Specifically, I focused on the practical aspects of implementing Snyk in a real-world development and cloud environment, answering questions like: I’ll cover some of the main highlights from the presentation in this blog post.

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.

Three expert tips for cultivating secure software development practices

We often hear about the importance of DevSecOps — integrating security into DevOps processes. But as many security professionals know, it’s not nearly as easy as it sounds. Cultivating secure software development practices requires working alongside developers with varying opinions, priorities, and idiosyncrasies. And any process involving humans is complicated. So, how do today’s security teams overcome these challenges and make secure software development practices a reality?