A Day In The Life of A Service Company CISO - Caroline Wong
Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.
Security | Threat Detection | Cyberattacks | DevSecOps | Compliance
The Latest Cybersecurity News & Insights From Around The World
DevOps
How to Mitigate the Risks of Software Supply Chain Security
In this video, Lawrence Crowther, Head of Solutions Engineering at Snyk, and Pas Apicella, Principal Solutions Engineer at Snyk, discuss the ways to mitigate risks in software supply chain security.
This Week in VulnDB - 10th March 2022
Welcome to This Week in VulnDB, Each episode we will look through some of the newer vulnerabilities in the Snyk vulnerability database, looking at emerging trends in attack vectors appearing in programming languages, platforms and ecosystems.
How To Address SAST False Positives In Application Security Testing
Static Application Security Testing (SAST) is an effective and well-established application security testing technology. It allows developers to create high-quality and secure software that is resistant to the kinds of attacks that have grown more prevalent in recent years. However, the challenge with SAST is that it tends to produce a high number of false positives that waste the time of your engineering team. In this blog we take a look at SAST and the problem of false positives.
How to Set-up an Identity-Aware Access Proxy as a Bastion Host in AWS
More and more business-critical applications run on Amazon Web Services. Protecting these mission-critical applications from potential attacks requires moving beyond typical security approaches such as using only a jump box or firewall to control access. This multi-part tutorial will show how DevOps teams can secure their AWS services using a zero-trust, identity-based approach that not only increases security, but improves developer productivity.
Cross-Account and Cross-Cluster Restore of Kubernetes Applications
Cross-Account and Cross-Cluster Restore of Kubernetes Applications Using CloudCasa. Users can now browse and map the available storage classes in the source and destination cluster when restoring. When performing cross-account Kubernetes restores in AWS, the system will now automatically handle changing volume IDs for PVs. Additionally, when creating an EKS cluster on restore, CloudCasa now allows customization of the IAM role, security group, VPC group etc. to be used in the new account.
Infrastructure drift and drift detection explained
Expectations do not always line up with reality. If you’ve started using infrastructure as code (IaC) to manage your infrastructure, you’re already on your way to making your cloud provisioning processes more secure. But there’s a second piece to the infrastructure lifecycle — how do you know what resources are not yet managed by IaC in your cloud? And of the managed resources, do they remain the same in the cloud as when you defined them in code?
"Dirty Pipe" Linux vulnerability and your containerized applications (CVE-2022-0847)
Recently, CVE-2022-0847 was created detailing a flaw in the Linux kernel that can be exploited allowing any process to modify files regardless of their permission settings or ownership. The vulnerability has been named “Dirty Pipe” by the security community due to its similarity to “Dirty COW”, a privilege escalation vulnerability reported in CVE-2016-5195, and because the flaw exists in the kernel pipeline implementation.
Mitigating Risks in Software Supply Chain
By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains (Gartner) which are only becoming increasingly complex due to the changes in how modern software is built. These trends, together with new federal regulations, require organizations to take action to ensure the security and integrity of their software. But this is easier said than done.
Simplifying container security with Snyk's security expertise
The most beautiful and inspiring aspect about open source code is, well, that it’s open source. We can look at open source packages like gifts that are exchanged between developers across the engineering world, allowing them to learn from the work other people do, contribute their own expertise, and grow their professional capabilities. Contributing to open source is much appreciated, and it is important to remember not only to benefit from these projects, but also to contribute back.