Snyk Blog

Blog posts about security, and more, from Snyk.

  • Snyk for your Enterprise

    Aner Mazur's avatar Aner Mazur

    Today we're happy to announce the great features we’ve added for the teams developing and securing software within the Enterprise. We especially focus on Enterprises who recognise that security should be included as early as possible and throughout the developer lifecycle, who want it to be incredibly easy for both their development teams and security teams to use, and who want their developers to fix vulnerabilities, not just find them.

  • Equifax, a credit monitoring giant, disclosed last week it was breached, exposing highly personal data of _143 million_ people. The breach root cause was a vulnerable version of an open source library called Struts. How can you handle such vulnerable libraries in your apps?

  • Snyk and Atlassian, Sitting in a Tree

    Aner Mazur's avatar Aner Mazur

    With Snyk support for Bitbucket Server now out of beta, you can tightly integrate Snyk with your Atlassian workflow from start to finish—from easily monitoring your projects, to integration with Bitbucket pipelines and even JIRA Software ticket creation.

  • Since we launched nearly two years ago, Snyk has been focused on making it easier to use open-source code without compromising security. Today, we're taking another leap forward and launching support for Scala, Python and Gradle!

  • Running `snyk test` out of the box will scan your application's dependencies and test to see if any of them contain known vulnerabilities. In this post, we discuss how you can customize the results using the `--json` option a few free tools.

  • Today we're happy to announce that we've launched support for testing Cloud Foundry applications for known vulnerabilities in your deployed code! Find us at Cloud Foundry Summit for a first-hand demo.

  • XSS Attacks: The Next Wave

    Guy Podjarny's avatar Guy Podjarny

    It’s been over 10 years since Cross Site Scripting (XSS) became big news, awareness has grown and defenses have become much more sophisticated. But, as we show in this post, recent data indicates XSS attacks are only increasing.

  • Bitbucket Server Integration in Beta

    Guy Podjarny's avatar Guy Podjarny

    Hot on the heels of the launch of Snyk serverless integration for Heroku and AWS Lambda, we are launching our next integration with Bitbucket Server, Atlassian’s Git solution for professional teams. The integration is currently in beta, and we're looking for people to take it for a test drive and provide us with some feedback.

  • Snyk Enterprise is now available on the UK government G-Cloud digital marketplace! Government services can now easily use Snyk to protect their applications against known vulnerabilities in their dependencies—an increasingly important consideration.

  • The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals, but it doesn't currently take into account how often those vulnerabilities are used by hackers. We dug through security breach records to see which vulnerabilities are exploited most frequently.

  • Serverless Security at Serverless Conf

    Guy Podjarny's avatar Guy Podjarny

    Today Guy Podjarny had the pleasure of presenting at the amazing ServerlessConf in Austin, Texas about security in a serverless world. Here are the slides from his talk, "Serverless Security: What's Left to Secure?"

  • Introducing Snyk for Serverless

    Guy Podjarny's avatar Guy Podjarny

    Today we're excited to announce Snyk's new solution for securing your serverless functions, designed to easily integrate and protect serverless-based applications! The initial launch features tight integration with both AWS Lambda and Heroku. We're also working closely with Google, Red Hat and others to integrate directly with their platforms in the coming months.

  • By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.

  • Maven support is here!

    Guy Podjarny's avatar Guy Podjarny

    Last November, we announced that in addition to Node.js support, we were adding support for Ruby. And now it's time to expand yet again. Today we're excited to announce Snyk's support for Java and other Maven supporting languages!

  • To do security well, you have to do it continuously, and here at Snyk we want to make that easy. That's why we changed our pricing, removing our project limit and letting you protect all your apps with a few small clicks!

  • The other week a paper was released that reported that about 37% of sites included at least one JavaScript library with a known vulnerability. We ran our own test and discovered that the reality is much worse—76.6% of sites were using at least one vulnerable library.

  • This is the first of a series of posts about Type Manipulation, each demonstrating one or more real-world vulnerabilities made exploitable by manipulating types, and explaining how it could have been avoided. In this post, we'll focus on using type manipulation to circumvent template-frameworks sandboxes.

  • Peter Benjamin recently built a fantastic VS Code plugin or Snyk. We asked him a few questions about the plugin and how and why he built it.

  • Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it.

  • An interesting whitepaper was released at the 2017 NDSS Symposium discussing a large-scale attempt at determining just how vulnerable client-side JavaScript libraries are. We wanted to share some of our thoughts on the report.

  • Announcing Snyk's Integration with Xray

    Geva Solomonovich's avatar Geva Solomonovich

    Today we're excited to announce the integration of the Snyk Vulnerability Database with JFrog's Xray.

  • As a security-focused startup, keeping their own application secure is absolutely mission critical for Voltos. In this guest post, Glenn Gillen talks about how Voltos is using Snyk to keep their dependencies free of known vulnerabilities.

  • Fixing XXE Vulnerabilities in Nokogiri

    Tim Kadlec's avatar Tim Kadlec

    We recently added a pair of high-severity XML External Entities (XXE) vulnerabilities found in the Nokogiri library to our vulnerability database. This post explains how the vulnerability works and discusses how to fix the exploit in your application.

  • Understanding Responsible Disclosures

    Tim Kadlec's avatar Tim Kadlec

    Disclosing vulnerabilities ethically and efficiently is critical to improving the state of security online. In this post we discuss the idea of "responsible disclosures" and why it matters.

  • Doug Wade built a plugin for using Snyk in your Gulp build process. We were really excited to stumble upon the plugin, so we wanted to talk to Doug to hear a little more about it.

  • Introducing pkgbot!

    Karen Yavine's avatar Karen Yavine

    Today we're open-sourcing, pkgbot—a Slack bot for gathering information about Node and Ruby dependencies.

  • The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.

  • Requiring authentication in Snyk CLI

    Guy Podjarny's avatar Guy Podjarny

    Since Snyk launched in late 2015, we've supported testing applications anonymously. Today, we released a new version that requires a (free) registration and authenticating before testing. Here's why we did it.

  • There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.

  • Jesse Houwing recently published a really helpful Visual Studio Team Services (VSTS) task, making it easier to get Snyk incorporated into your VSTS workflow. We think it's pretty awesome that he built it, so we wanted to learn a bit more about the task and how he did it.

  • Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby.

  • We recently added support for Ruby projects to Snyk. The difference between version handling in RubyGems and npm presented a few challenges along the way. This blog post describes those differences, the problems they caused, and how we resolved them.

  • A high-severity remote code execution vulnerability was found in the `EJS` npm package. Here's how it works, and how to fix it.

  • A brief history of modularity

    Josh Emerson's avatar Josh Emerson

    Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of NPM gave a talk titled "A brief history of modularity", which we felt was particularly relevant to Snyk, and so we thought we'd share a summary of the talk here.

  • Announcing Snyk for Ruby

    Guy Podjarny's avatar Guy Podjarny

    After a year of helping Node and npm developers be secure and tuning Snyk's products, we're ready to expand. Today, we're announcing Snyk support for Ruby!

  • Launching Serverless Snyk

    Tim Kadlec's avatar Tim Kadlec

    To simplify the task of keeping dependencies in your Serverless application free of known vulnerabilities, we're launching the Serverless Snyk plugin.

  • Building Security Tools Developers Love

    Guy Podjarny's avatar Guy Podjarny

    In the latest episode of The Secure Developer, Sabin Thomas and Guy Podjarny discuss the difference between security tools aimed at security people, vs building security tools developers love

  • Yarn is Micro Secure

    Tim Kadlec's avatar Tim Kadlec

    Yarn markets itself as “ultra fast”, “super reliable” and “mega secure”. While it’s true that Yarn is often much faster, and that the new lockfile ensures more consistency when your application is installed, the security claims are a little over-optimistic.

  • Fixing Serverless Security Vulnerabilities

    Guy Podjarny's avatar Guy Podjarny

    Well over 80% of successful exploits today occur due to unpatched servers. Approaches such as Serverless & PaaS should dramatically reduce the risk of outdated binaries. Unfortunately, this transition does nothing to secure open source code packages.

  • Announcing Snyk for Bitbucket Pipelines

    Guy Podjarny's avatar Guy Podjarny

    At Snyk, our goal is to build security tools that easily fit with your existing workflow. This is why we’re excited to announce Snyk for Bitbucket Pipelines, making it easy to stay secure if you’re managing your work with the Atlassian product stack.

  • Launching "The Secure Developer" Podcast

    Guy Podjarny's avatar Guy Podjarny

    We all want to build security into our dev process, but how? The new "The Secure Developer" brings dev leads, AppSec thought leaders and security tools builders to share experiences, techniques and tools to help you build security in.

  • Get Snyk security alerts on Slack

    Johanna Kollmann's avatar Johanna Kollmann

    If Slack is your team's go-to communication tool, we have good news: you can now get Snyk's security alerts in Slack!

  • Threat Modelling For Node.js Applications

    Gergely Nemeth's avatar Gergely Nemeth

    What should I defend my application against? Should I deal with Cross-Site Scripting (XSS) attacks? How about SQL injection? Should I protect myself against cross-site request forgery? The short answer is yes. But as always, it's not that simple.

  • Much has been written about ES2015 - with its arrow functions, scoped variable declarations and controversial classes. However, a certain feature has received little love so far: the Proxy.

  • How can we evolve Security as we did Ops into DevOps, who owns open source security and why aren't developers owning security yet? All that and more in this O'Reilly Security podcast episode

  • Engineering is somewhat like basketball

    Anton Drukh's avatar Anton Drukh

    Great engineering teams ship fast and employ Continuous Delivery practices. Having an agreed time constraint for releases within the team removes obstacles such as complex merges and low quality of code.

  • Enriching bitHound with Snyk

    Guy Podjarny's avatar Guy Podjarny

    Snyk partners with bitHound to help its users find vulnerable dependencies and take action!

  • HTTPS Adoption *doubled* this year

    Guy Podjarny's avatar Guy Podjarny

    Over 20 years after its incept HTTPS, is finally breaking through. In the last year alone, HTTPS adoption has more than doubled! This is a moment for celebration and learning, and this post digs into the data and the lessons we can learn from it

  • Snyk's Style Guide

    Anna Debenham's avatar Anna Debenham

    Having a style guide means we can assemble templates more quickly, and we're less likely to unintentionally build the same thing more than once. We use it a lot for referencing colours, or grabbing some markup for a button or checkbox.

  • 4 steps to address vulnerable dependencies

    Guy Podjarny's avatar Guy Podjarny

    Creating Snyk's GitHub integration, released in late June, helped clarify the different steps to truly address vulnerable dependencies, both immediately and in a continuous fashion. These steps are consistent across packaging systems, from npm to Maven to Chef cookbooks. This post explains each step, why they are needed, and how to apply them with Snyk.

  • Out of Beta, plus exciting new features

    Guy Podjarny's avatar Guy Podjarny

    After 343,000 vulnerability tests, 71,000 applied patches and 4,500 alerts, Snyk is ready to graduate out of Beta! In addition, we're launching two exciting new features, GitHub Integration and Organisations, and offering new premium plans - try them out!

  • The 5 dimensions of an npm dependency

    Guy Podjarny's avatar Guy Podjarny

    We often talk about the growing number of npm dependencies, and how they make us productive and fast or fragile and insecure. But what exactly is an npm dependency? This post defines the ways to look at an npm dependency.

  • Fixing SQL Injection: ORM is not enough

    Guy Podjarny's avatar Guy Podjarny

    Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.

  • 5 Ways to Get Node.js Vulnerability Alerts

    Guy Podjarny's avatar Guy Podjarny

    Get notifications about new vulnerabilities in Node.js and front-end npm packages via Slack, email, Twitter, Trello or text messages.

  • Fixing `marked` XSS vulnerability

    Guy Podjarny's avatar Guy Podjarny

    A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.

  • Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe, which disables the vulnerable features, protecting against the known exploits.

  • Test for vulnerabilities — and then monitor — any public Node.js GitHub repo.

  • Exploiting Buffer

    Guy Podjarny's avatar Guy Podjarny

    Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. In this post, we’ll explain how Buffer works, show a sample vulnerability and exploit, and explain how you can protect your own application.

  • How to prevent malicious packages

    Guy Podjarny's avatar Guy Podjarny

    Last week, CERT alerted users to the risk of publishing or consuming a malicious npm package. This important risk is not unique to npm, but it is more likely to happen in this ecosystem. This post explains the risk and how you can protect yourself.

  • Testing for unpublished packages

    Guy Podjarny's avatar Guy Podjarny

    Yesterday, Azer Koçulu unpublished a large number of popular packages. Unpublishing allowed malicious actors to grab those package names, and get an immediate footprint on many applications across the web. We modified our tool to help you detect whether your dependencies are exposed to this risk.

  • Tackling the new npm@3 dependency tree

    Remy Sharp's avatar Remy Sharp

    Until recently Snyk's CLI tool only supported npm@2. That all changed when we released snyk@1.9.0 and added full support for the new npm@3 directory structures. In this post, Remy shares some of the technical challenges involved and the new tooling that came out of the process.

  • Using Node.js Event Loop for Timing Attacks

    Danny Grander's avatar Danny Grander

    A little over 3 years ago, a few friends and I started a group called pasten to participate in the Chaos Computer Club's Capture The Flag (CTF) competition. It is a jeopardy style CTF, where the participating teams need to solve security related challenges in various categories such as exploitation, reverse engineering, web, forensic & crypto.

  • Earlier this month, a researcher named ChALkeR shared his research on leaked credentials in npm packages. The findings showed credentials, such as npm and GitHub tokens and passwords, are frequently included in published npm packages or GitHub repositories. In fact, 13 of the top 15 npm packages depend on packages that leaked credentials, thus exposing their users.

  • Launching Snyk

    Guy Podjarny's avatar Guy Podjarny

    I'm excited to announce Snyk is now live! Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.

  • 10 Reasons To Use HTTPS

    Guy Podjarny's avatar Guy Podjarny

    HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications