Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

June 2023

Building a security-conscious CI/CD pipeline

Continuous integration (CI) and continuous delivery (CD) has become a ubiquitous practice for DevOps teams. The CI/CD process focuses on building and deploying new applications or releasing updates to already-deployed workloads. As a result, most CI/CD efforts focus on enhancing development speeds. However, CI/CD practices can accomplish much more than enabling workload deployments.

The importance of verifying webhook signatures

Webhooks are a callback integration technique for sending and receiving information, such as event notifications, in close to real-time. Webhooks can be triggered by application events and transmit data over HTTP to another application or third-party API. You can configure a webhook URL and connect external participants to customize, extend, or modify workflows. Webhooks may or may not be signed.

Using insecure npm package manager defaults to steal your macOS keyboard shortcuts

Malicious npm packages and their dangers have been a frequent topic of discussion — whether it’s hundreds of command-and-control Cobalt Strike malware packages, typosquatting, or general malware published to the npm registry (including PyPI and others). To help developers and maintainers defend against these security risks, Snyk published a guide to npm security best practices.

Mimic your mental model with Project Collections

At Snyk we’re constantly trying to improve how you can work with Projects at scale. To continue the journey, we’ve been furthering how you can organize your Projects. There are nearly limitless ways to organize projects outside of Snyk because there is no standard mental model that is used by everyone, for example, some organize projects as mono-repos, and others as application components.

Maximizing IAM security with AWS permissions boundaries and Snyk

In today's rapidly evolving cloud landscape, managing permissions and ensuring robust security controls are essential for organizations utilizing Amazon Web Services (AWS). AWS Identity and Access Management (IAM) is crucial in managing permissions to access AWS resources. While IAM provides granular control over permissions, AWS IAM permissions boundaries offer additional security and flexibility for fine-tuning access controls.

Research with Snyk and Redhunt Labs: Scanning the top 1000 orgs on GitHub

Open source code is a vital aspect of modern development. It allows developers to increase their application’s functionality, while reducing overall development time. However, the system isn’t perfect. The nature of third party software and it’s dependencies often creates opportunity for security vulnerabilities to lurk in libraries and downloads.

SnakeYaml 2.0: Solving the unsafe deserialization vulnerability

In the December of last year, we reported CVE-2022-1471 to you. This unsafe deserialization problem could easily lead to arbitrary code execution under the right circumstances. In the deep-dive blog post “Unsafe deserialization vulnerability in SnakeYaml (CVE-2022-1471)”, I explained the problems in this library and how it could be executed. The gist of the problem was that by default SnakeYaml parsed the incoming yaml to the generic object type.

Understanding Kubernetes Pod Security Standards

Kubernetes “crossed the adoption chasm” in 2021 after 5.6 million developers used it to orchestrate their containers, according to the Cloud Native Computing Federation (CNCF). The annual CNCF survey recorded that an impressive 96% of organizations were either contemplating or outright using Kubernetes. However, Kubernetes becomes more appealing to hackers and malefactors as it becomes more popular.

The SecurityManager is getting removed in Java: What that means for you

The Java Development Kit (JDK) library's java.security package is one of the most important packages, yet despite consistent updates, it remains vastly underutilized. In light of the increased emphasis on cybersecurity frameworks, including zero trust, it's imperative for Java developers to become familiar with Java SE's security libraries. As with any other field in information technology, cybersecurity has a capricious nature. After all, it has to keep up with the latest trends in cybercrime.

Snyk named a Leader, placed highest in Strategy category in The Forrester Wave: Software Composition Analysis (SCA), Q2 2023 report

We’re thrilled to announce that Snyk was named a Leader in The Forrester Wave™: Software Composition Analysis (SCA), Q2 2023 report! We believe this recognition — and the fact that we are ranked highest in the Strategy category out of all evaluated vendors — highlights the work we’ve done at Snyk to disrupt the industry with developer-centric application security solutions to help companies secure their software supply chain.

Snyk integrates with AWS Security Hub to automate security remediation workflows

AWS Security Hub is a cloud security posture management platform (CSPM) that automates security best practice checks, aggregates security alerts, and understands your overall security posture across different AWS accounts. AWS Security Hub ingests security findings from other security services like Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS IAM, and AWS Firewall Manager — as well as findings from partners like Snyk.

Snyk integrates with Amazon EventBridge to enable secure AppDev at scale

In today’s highly dynamic application ecosystem, the number and scope of security issues that developers need to address have increased dramatically, making it imperative for modern development teams to have an automated system to handle security events across every application component.

Snyk Partner Speaks series: True DevSecOps with Snyk and Dynatrace

The latest video in our Snyk Partner Speak Series showcases how Snyk and Dynatrace bring complementary capabilities to different parts of the DevSecOps lifecycle. Check it out and learn how the integration enables organizations to observe, investigate, fix, and govern with a single solution. The Snyk DevSecOps Lifecycle Coverage App is the newest milestone in the Snyk and Dynatrace strategic alliance.

Snyk welcomes Enso: Enabling security leaders to scale their AppSec program with ASPM

As we approach the second half of 2023, both security and development teams are seeing seismic shifts in the application security world. AI is powering a productivity revolution in development, enabling developers of all types (and even non-developers) to introduce code faster than ever. Meanwhile, it’s more difficult than ever for developers and AppSec professionals to identify and prioritize true risk to the business.

Reduce risk to your supply chain with a software bill of materials (SBOM)

Today, we’re excited to launch a few new features as part of our ongoing efforts in our Software Supply Chain Security solution. These developer-first tools help you gain a better understanding of your app’s supply chain, identify potential risks, and take the necessary steps to get ahead of them.

Announcing Insights: Helping you focus on top risks for your organization

Modern applications are built, deployed and, run in increasingly complex and dynamic environments. Assessing and prioritizing the security issues introduced by these applications without taking this context into account inevitably leads to focusing remediation efforts on the wrong set of issues. This not only results in real risk slipping under the radar but also wastes the valuable time of developers, increasing their frustration and eroding their trust in security.

SnykLaunch June '23: Insights and DeepCode AI enable faster fixes and prioritization

As we approach the second half of 2023, both security and development teams are seeing seismic shifts in the application security world. DevOps practices continue to evolve, meaning that developers are introducing code more and more rapidly, andwith the help of AI, developers of all kinds are able to create code faster than ever. Plus, apps aren’t just made up of first-party code and third-party dependencies anymore.

Introducing parlay, a tool for enriching SBOMs

The increasing adoption of software bill of materials (SBOM) standards are starting to drive better interoperability between security tools. The NTIA’s work on defining a minimum set of elements for an SBOM was a key part of that, especially with multiple formats like CycloneDX and SPDX in widespread use. But with work on SPDX 3.0 and CycloneDX 1.5 progressing, there are lots of things we can do with the SBOM formats beyond the minimum elements.

What can you do with an enriched SBOM? A parlay quickstart guide

We just released parlay, a new open source tool that can enrich SBOMs with additional information. You can read more in the announcement blog post. In that post, we briefly mentioned why this is important for decision-making based on SBOM data, but thought a few quick examples might be interesting. parlay can add a lot of extra information to an SBOM, and we can use that information to write more powerful policies.

Snyk scanning capabilities are now embedded in Jira Software

Today, development is faster than ever. More apps and code are being written than ever before. There are more third-party dependencies in use to speed development, more containerization, and even code that controls the deployment and configuration of apps and the cloud. To ship quickly, developers need to stay on top of security issues. They want to understand how to build secure applications by getting feedback as they work.

A day in the life of an ethical hacker

Ethical hacking refers to the practice of using hacking techniques to identify and expose vulnerabilities in computer systems, networks, and applications. Unlike malicious hackers, ethical hackers use their skills and knowledge to help organizations and businesses identify security weaknesses before they can be exploited by malicious actors. Ethical hacking can include a range of activities, from scanning and penetration testing to social engineering and physical security testing.

A quick primer on LDAP injection

Lightweight Directory Access Protocol (LDAP) is an authentication mechanism for securing web applications. LDAP is popular because it's lightweight and scales easily — features that appeal to developers, but mean that LDAP databases often store large amounts of valuable information. This makes them an attractive target for attackers. Applications construct LDAP queries derived from user inputs to access and manipulate the information stored in LDAP databases.