Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

August 2023

7 AppSec tips from Snowflake's Director of Product Security

At this year’s AWS re:Invent, Mic McCully, Field CTO at Snyk, spoke with Jacob Salassi, Director of Product Security at Snowflake. They discussed what it looked like for Snowflake to overcome various security challenges with the right combination of processes, company culture shifts, and tool partners (including Snyk!). Read on to learn about the practices Jacob and his team established to create a successful application security program.

How to use AI for software development and cybersecurity

We’ve seen how technology can evolve at warp speed, and AI has emerged as both a revolutionary force and a tantalizing enigma. Whether you're a seasoned developer seeking to expand your toolkit or a security enthusiast on a quest for clarity in the realm of AI, embarking on the journey to demystify this dynamic field can be both exhilarating and overwhelming.

How to implement SSL/TLS pinning in Node.js

With threat actors performing man-in-the-middle (MITM) attacks, having an SSL/TLS certificate is no longer a valid reason to trust an incoming connection. Consequently, developers are increasingly adopting SSL/TLS pinning, also known as certificate or public key pinning, as an additional measure to prove the authenticity and integrity of a connection.

How Okta empowers devs to find & fix security issues with Snyk

Many organizations find it challenging to locate and fix the vulnerabilities in their containers. But the team at Okta knew that securing the containers that support Auth0 (their identity and access (management platform), was imperative. The team also knew these security processes had to be developer-friendly: making finding and fixing container vulnerabilities as simple as possible.

Using JLink to create smaller Docker images for your Spring Boot Java application

Containers bring new flexibility and agility to software development and deployment. However, they also introduce a new attack surface that malicious actors can exploit. A compromised container can give an attacker access to other containers and even the host system. Smaller images that contain fewer artifacts are already a great help in achieving a smaller attack surface.

Top 5 VS Code extensions for security

Developing quality software applications can be arduous, as many moving parts must come together to create a working solution. That’s why developers need all the help and convenience they can get, especially when securing their applications. Visual Studio Code (VS Code) is one of the most popular open source code editors for various reasons.

Streamline dependency updates with Mergify and Snyk

Managing dependencies for a project is a task that requires consistent effort and attention. Surely, you’ve found yourself concerned about any of the following while maintaining a project: Luckily, we’ve been able to use GitHub bots to automate dependency management to an extent with solutions like Dependabot and GreenKeeper. However, these bots mostly automate the creation of a new code pull request that proposes the changes to be made.

Best practices for building a production-ready Dockerfile for PHP applications

Docker is a containerization platform for bundling your code, dependencies, and runtime environment into self-contained units that run identically in different environments. Dockerizing a PHP application simplifies deployment by packaging the PHP runtime, a web server, and your source code and composer dependencies into a container. Getting started with Docker is easy. However, there are a few pitfalls you need to avoid before you can safely use it in production.

Introducing Snyk's new Risk Score for risk-based prioritization

We’re happy to announce the open beta availability of Snyk’s new Risk Score! Replacing the existing Priority Score, the new Risk Score was designed to help you prioritize more effectively by providing you with an accurate and holistic understanding of the risk posed by a given security issue.

Can machines dream of secure code? From AI hallucinations to software vulnerabilities

As GenerativeAI expands its reach, the impact of software development is not left behind. Generative models — particularly Language Models (LMs), such as GPT-3, and those falling under the umbrella of Large Language Models (LLMs) — are increasingly adept at creating human-like text. This includes writing code.

Secure Java URL encoding and decoding

URL encoding is a method that ensures your URL only contains valid characters so that the receiving server can correctly interpret it. According to the RFC 3986 standard, URIs (which are a superset of URLs) only contain a limited set of characters consisting of digits, letters, and a few graphic symbols, all within the ASCII character set. If a URL contains characters outside this limited set, the characters must be percent-encoded.

Starting Strategies: Where to Begin After Purchasing Snyk

Luke Sanders, Senior Technical Success Manager, shares quick tips and best practices for getting started with Snyk. Topics covered include: Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

CodeSecDays conference and more complete security coverage with GitGuardian

As secrets have a role in most security incidents, Snyk is excited to partner with GitGuardian to help development and security teams scale their security programs and further reduce an application's attack surface at every stage of the code-to-cloud lifecycle. We recently spoke at GitGuardian's first digital conference, CodeSecDays, joining security leaders from Chainguard, Doppler, Kondukto, and more — who shared insights on software signing, open source security, and secrets management.

Manage security issues in Jira with Snyk Security in Jira Cloud

Incorporating security into the software development lifecycle helps ensure the creation of secure and robust software applications from the very beginning. To further evolve our security offerings in the developer community, we announced our partnership with Atlassian to introduce Snyk Security in Jira Cloud as a part of the Security in Jira launch in June. Snyk started gradually rolling out the Jira Security App and has significantly improved the functionality and features available to users.

.NET developers alert: Moq NuGET package exfiltrates user emails from git

On August 8, 2023, the.NET community was informed that the testing library called Moq exfiltrates developer's emails from their development machine and sends them off to third-party remote servers. Snyk has already published a security advisory and will alert developers who scan and monitor their.NET projects with Snyk.

5 tips to supercharge app security from code to cloud

As the partnership between Snyk and GitGuardian continues to grow, we’ve collaborated on a new cheat sheet that identifies key security considerations and tools that can help you mitigate risks and protect your code. The journey from code to cloud and back to code necessitates a holistic approach to security.

Snyk Ranked #19 on 2023 Forbes Cloud 100 List

I am excited and humbled to share that Snyk has been named to the prestigious Forbes Cloud 100 list for the fourth consecutive year, coming in at #19. The full list was unveiled this morning. This recognition follows a number of significant company milestones, including being named a leader in both the 2023 Gartner® Magic Quadrant™ for Application Security Testing and The Forrester Wave™: Software Composition Analysis, Q2 2023 report.

Mitigating DOM clobbering attacks in JavaScript

The Document Object Model (DOM) acts as an interface between HTML and JavaScript, bridging the gap between static content and dynamic interactivity. This function makes the DOM indispensable for modern web developers. However, the DOM has a pitfall — DOM clobbering. DOM clobbering occurs when HTML elements conflict with global JavaScript variables or functions, which can lead to unexpected behavior and a potential security loophole in your web application.

The Role of Leadership in Successful DevSecOps Adoption

Customer Speakers: Woolworths | Pablo Reyes, AppSec Lead Shopback | Dipin Thomas, Engineering Manager Coinhako | Metarsit Leenayongwut, Engineering Manager Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

Discussions on improving security through chaos engineering

When you rely on a tool to support you in an intense situation, you probably want reassurance that it got tested for extreme conditions. For example, if you’re about to go skydiving, you'd want to know that the parachute strapped to your back underwent rigorous testing and will perform it's needed most. The same is true with the systems supporting our security initiatives. What happens when those systems are under high pressure in an emergency?

How to Dockerize a PHP application securely

Let’s say you’ve built a PHP application, but you want to separate it from supporting infrastructure in a way that keeps things lightweight, portable, and still quite secure. You’d like other developers to be able to work on it without having to recreate whole environments. In short, what you want to do with your application is containerize it — package it and its dependencies into containers that can be easily shared across environments.