Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Snyk

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Mar 1, 2023 By Snyk In Snyk
Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.
View Video
Snyk

Three expert tips for cultivating secure software development practices

Mar 1, 2023 By Simon Maple In Snyk

We often hear about the importance of DevSecOps — integrating security into DevOps processes. But as many security professionals know, it’s not nearly as easy as it sounds. Cultivating secure software development practices requires working alongside developers with varying opinions, priorities, and idiosyncrasies. And any process involving humans is complicated. So, how do today’s security teams overcome these challenges and make secure software development practices a reality?

Read Post
Snyk

Finding YAML Injection with Snyk Code

Feb 23, 2023 By Calum Hutton In Snyk

I conducted some research to try and identify YAML Injection issues in open-source projects using Snyk Code. Though the vulnerability itself is not a new one, the potential impact of YAML Injection is high, which made it a good candidate for research. This research led to the discovery of several issues in open-source projects written in Python, PHP and Ruby. This article focuses on the issue found in geokit-rails version 2.3.2, a plugin for Ruby on Rails

Read Post
Snyk

The security concerns of a JavaScript sandbox with the Node.js VM module

Feb 22, 2023 By Liran Tal In Snyk

Were you tasked with building a product that requires the execution of dynamic JavaScript originating from end users? You might think building it on-top of Node.js VM module is a viable way to create a JavaScript sandbox. In this article, we’ll learn why that’s far from being a recommended approach and the security implications of doing so. Every now and then there’s a project that challenges the rudimentary and routine backend development. APIs? Message queues?

Read Post

The Big Fix. OWASP TOP 10 Snyk Learn Path (Cryptography & Outdated Components)

Feb 22, 2023 By Snyk In Snyk
OWASP stands for Open Web Application Security Project. This non-profit foundation works to improve software security. They have published a top 10 list that acts as an awareness document for developers. It represents a broad consensus about the most critical security risks. Our goal at Snyk Learn is to educate developers and one way we do that is by covering the OWASP top 10 list.
View Video
Snyk

When software isn't a "supply"

Feb 15, 2023 By Daniel Appelquist In Snyk

I was inspired to write this after reading a post from Thomas Depierre on Mastodon. The post touched on something that’s been troubling me recently. When it comes to software security, we spend a lot of time talking about the software supply chain and related concepts, such as the software bill of materials (SBOM). This metaphor comes from an industrial lexicon. People who are used to talking about economies and how manufacturing works are familiar with the idea of supply chain.

Read Post
Snyk

The dangers of setattr: Avoiding Mass Assignment vulnerabilities in Python

Feb 15, 2023 By Jack Hair In Snyk

Mass assignment, also known as autobinding or object injection, is a category of vulnerabilities that occur when user input is bound to variables or objects within a program. Mass assignment vulnerabilities are often the result of an attacker adding unexpected fields to an object to manipulate the logic of a program.

Read Post

Snyk Workflows - Ignores & PR Checks

Feb 15, 2023 By Snyk In Snyk
Snyk integrates with your IDEs, repos, workflows, and automation pipelines to add security expertise to your toolkit. The “menu” of options available to you is extensive, so we created this three-part series to get you started and running. Do you want your dev teams and AppSec teams to be aligned? The second session of the series digs deeper into using ignore capabilities. You’ll also learn about PR checks. This is a great way to get ahead of permissions.
View Video

Copyright © 2024 OpsMatters™. All rights reserved.