Over the last few years, the “idea that every company is a technology company a fundamental shift in our industry” (Suzie Prince, Head of Product, DevOps, Atlassian). The sheer dominance of development as a craft has led to a bigger audience and a much louder voice that centers on the developer perspective.
Today, I am excited to announce Snyk’s acquisition of Fugue and welcome their team to the Snyk family. The addition of Fugue to Snyk’s platform will allow us to continue our mission to help developers find and fix security issues in the applications they create, by providing visibility into the security of applications and the cloud services they use. But it’s about more than just visibility of the cloud posture.
Magento has been a much used and loved e-commerce platform since its initial release in 2008. One of the things I’ve always loved about Magento is its ability to grow as ecommerce businesses grow. Starting as a self-hosted version (which I’ve used extensively as a developer over the years), Magento now has clear support and management options available via Adobe or third party ecosystem partners.
Today, we’re excited to announce a partnership with Sysdig to provide container and Kubernetes security together — from code to cluster. Together, Snyk and Sysdig can help developers secure code and containers in development, protect the runtime Kubernetes environment, and deliver feedback and visibility from production back to developers, eliminating the noise of container vulnerabilities.
As developers we all have our morning startup routine: make coffee, check slack/discord/email, read the latest news. One thing I do as part of my daily startup routine is check the Snyk vulnerability database for the latest open source vulnerabilities. It’s been especially interesting to see the types of exploits and vulnerabilities that appear in different ecosystems. For example, since May 2021 I’ve been watching the emergence of vulnerabilities in Tensorflow libraries.
We’re excited to announce that our Snyk Business plan will now be available as a free trial. Many developers love Snyk products, but the true power of our platform is displayed when it’s used across an organization. No company wants to navigate a security incident, but ensuring that your entire SDLC is protected can be a challenge. The Snyk Business plan gives your organization access to empowering and easy-to-use tools to ensure nothing slips through the cracks.
I conducted research based upon existing Python vulnerabilities and identified a common software pattern between them. By utilizing the power of our in-house static analysis engine, which also drives Snyk Code, our static application security testing (SAST) product, I was able to create custom rules and search across a large dataset of open source code, to identify other projects using the same pattern. This led to the discovery of a stored command injection vulnerability in Celery.
Managing resources in early versions of Kubernetes was a straightforward affair: we could define resources with YAML markup and submit these definitions to the cluster. But this turned out to require too much manual work, and at too low of a level. The next step in the evolution of Kubernetes was to use Helm charts. Sometimes called “the package manager for Kubernetes,” Helm allowed developers to share entire application setups using a templating language.
On January 30, 2022, , the Argo CD team was contacted by researchers at Apiiro regarding a vulnerability they had discovered in the popular continuous delivery platform that could allow bad actors to steal sensitive information from deployments. The Argo CD team was able to quickly develop fixes for all three of their currently supported releases and publish them to their users within 48 hours.
As applications become more complex, so does the task of securing them. While the source code making up applications consists of proprietary code, a great deal of it is also third-party, open source code. Development and security teams looking to release secure code while also maintaining a rapid pace of development, need to therefore combine static application security testing (SAST) and software composition analysis (SCA) as part of a comprehensive software security strategy.
