Vulnerability

How Atlassian used Snyk to solve Log4Shell

Nov 16, 2022 By Sarah Conway In Snyk

Snyk recently launched a multi-day live hack series with AWS, where experts demonstrated exploits in real-time and explained how to defend against those vulnerabilities. This series helped viewers discover new ways to improve security across the application stack for AWS workloads. As part of the series, Micah Silverman (Director of Developer Relations, Snyk) and Chris Walz (Senior Security Engineer, Atlassian) discussed Log4Shell.

Read Post

Snyk

Read more about How Atlassian used Snyk to solve Log4Shell

Best practices for Kubernetes Secrets management

Nov 16, 2022 By Eric Kahuha In Snyk

Kubernetes uses secret objects, called Secrets, to store OAuth tokens, secure shell (SSH) keys, passwords, and other secret data. Kubernetes Secrets allow us to keep confidential data separate from our application code by creating it separately from pods. This segregation, along with well-formed role-based access control (RBAC) configuration, reduces the chances of the Secret being exposed — and potentially exploited — when interacting with pods, thereby increasing security.

Read Post

Snyk

Read more about Best practices for Kubernetes Secrets management

PyPi Malware Stealing Discord and Roblox Payment Info

Nov 16, 2022 By Snyk In Snyk

In this livestream we dive into the latest set of malicious packages discovered by the Snyk security research team. We are joined by senior security researcher at Snyk Raul Onitza-Klugman as we also discuss how these findings came to be, what they mean for open source security, and some hypotheses about the future of supply chain security. Didn't catch the live stream? Ask all of your Snyk questions and we’ll do our very best to answer them in the comment section.

View Video

Snyk

Read more about PyPi Malware Stealing Discord and Roblox Payment Info

The "Software Vulnerability Snapshot" reports that 95% of tests uncovered vulnerabilities in target apps

Nov 15, 2022 By Fred Bals In Synopsys

Learn about the key takeaways from the “Software Vulnerability Snapshot” report, which examines security issues uncovered in web and mobile apps.

Read Post

Synopsys

Read more about The "Software Vulnerability Snapshot" reports that 95% of tests uncovered vulnerabilities in target apps

Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

Nov 15, 2022 By Shachar Menashe In JFrog

Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution.

Read Post

JFrog

Read more about Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

5 best practices for building modern access control for cloud applications

Nov 15, 2022 By Brian Clark In Snyk

Recently, I met with Or Weis — a Snyk Ambassador — to discuss access control in the cloud. Or is an entrepreneur, based in Tel Aviv, where he founded Permit.io, a solution that empowers developers to bake in permissions and access control into any product in minutes and takes away the pain of constantly rebuilding them.

Read Post

Snyk

Read more about 5 best practices for building modern access control for cloud applications

4 Reasons Scan Results May Differ Over Time: Advice from an Application Security Consultant

Nov 15, 2022 By Jim Jastrzebski In Veracode

You didn’t change anything in your code, yet the scan is different this time. Here’s advice from an Application Security Consultant on why that may be. Have you ever wondered why you scan code one day and get one result, and then scan the same code a month later and get different results – even though you never changed anything?

Read Post

Veracode

Read more about 4 Reasons Scan Results May Differ Over Time: Advice from an Application Security Consultant

Stories from the SOC: Fortinet authentication bypass observed in the wild

Nov 14, 2022 By Amer Amer In AT&T Cybersecurity

Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, has put a big target on the backs of unpatched and exposed Fortinet devices.

Read Post

AT&T Cybersecurity

Read more about Stories from the SOC: Fortinet authentication bypass observed in the wild

SREs bring O.R.D.E.R(R) to C.H.A.O.S - Snyk Ambassadors Show

Nov 14, 2022 By Snyk In Snyk

Join Snyk ambassador Keith McDuffee as he discusses with Brian Clark the role of SREs, their responsibilities and the challenges they face and what are the things keeping SREs on their toes and restless at night?

View Video

Snyk

Read more about SREs bring O.R.D.E.R(R) to C.H.A.O.S - Snyk Ambassadors Show

Cloud security fundamentals part 5: measure what matters

Nov 11, 2022 By Drew Wright In Snyk

Many security engineers have woken up to dozens of Slack messages and emails telling them the day they dreaded is here: a vulnerability has been deployed, and now it must be fixed. Meetings and plans are abandoned while security engineers rush to fix the problem. It’s often a process failure that has led to the now-urgent issue. And these emergency issues can appear across a spectrum that includes all types of remediation efforts.

Read Post