Amazon Web Services (AWS) Simple Storage Service (S3) has become a cornerstone in the world of cloud storage. It offers scalability, high availability, and performance, making it a go-to choice for businesses of all sizes. However, as with any cloud service, security is paramount. This is where the question of "how to secure an S3 bucket" comes into play. Securing your S3 buckets is not just about protecting your data from unauthorized access.

In today's increasingly digital world, where businesses rely heavily on technology for core operations, the European Union's Digital Operational Resilience Act (DORA) establishes a comprehensive framework to manage Information and Communication Technology (ICT) related risks and ensure business continuity for financial institutions and critical service providers.

A week before RSA 2024, Forrester predicted which subjects and themes would come to the forefront of the conference. They emphasized that we’d see a focus on proactive security, defined as “a strategic approach to controlling security posture and reducing breaches through strong visibility, prioritization, and remediation.” I went into the conference with this prediction in mind. However, I was surprised by what I found.

As developers, we often have to work with REST APIs when we integrate with third-party systems or connect between frontend and backend systems at work. APIs, and REST APIs in particular, are a fundamental part of modern web applications, allowing us to create, read, update, and delete data over HTTP. However, as with any technology, they come with their own set of security challenges. Let's break these challenges down and understand how to secure REST API applications.

On June 25, 2024, the Sansec security research and malware team announced that a popular JavaScript polyfill project had been taken over by a foreign actor identified as a Chinese-originated company, embedding malicious code in JavaScript assets fetched from their CDN source at: cdn.polyfill.io. Sansec claims more than 100,000 websites were impacted due to this polyfill attack, including publicly traded companies such as Intuit and others.

As we enter the age of AI, we’ve seen the first wave of AI adoption in software development in the form of coding assistants. Now, we’re seeing the next phase of adoption take place, with organizations leveraging increasingly widely available LLMs to build AI-enabled software. Naturally, as the adoption of LLM platforms like OpenAI and Gemini grows, so does the security risk associated with using them.

Snyk is an excellent tool for spotting project vulnerabilities, including hardcoded secrets. In this blog, we'll show how you can use Snyk to locate hardcoded secrets and credentials and then refactor our code to use Doppler to store those secrets instead. We'll use the open source Snyk goof project as a reference Node.js boilerplate application, so feel free to follow along with us.

After our recent successes exploring WebSocket Hijacking vulnerabilities, we decided to expand this research project into other attacks that involve WebSockets. We started by looking at WebSocket smuggling attacks and expanded our scope to include HTTP response header injection attacks and potential novel impacts.

To help businesses develop fast and stay secure, Snyk prioritizes seamless compatibility with developers’ existing workflows. In other words, every major tool or environment a developer touches in their everyday work can interface with Snyk tooling. This compatibility includes partnerships with major cloud providers like Google Cloud.

We’re excited to announce that the Snyk Language Server (LS for short) can now be integrated with your existing IntelliJ IDEs.