• May 10, 2017

    Which of the OWASP Top 10 Caused the World’s Biggest Data Breaches?

    The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals, but it doesn't currently take into account how often those vulnerabilities are used by hackers. We dug through security breach records to see which vulnerabilities are exploited most frequently.
  • April 28, 2017

    Serverless Security at Serverless Conf

    Today Guy Podjarny had the pleasure of presenting at the amazing ServerlessConf in Austin, Texas about security in a serverless world. Here are the slides from his talk, "Serverless Security: What's Left to Secure?"
  • April 26, 2017

    Introducing Snyk for Serverless

    Today we're excited to announce Snyk's new solution for securing your serverless functions, designed to easily integrate and protect serverless-based applications! The initial launch features tight integration with both AWS Lambda and Heroku. We're also working closely with Google, Red Hat and others to integrate directly with their platforms in the coming months.
  • April 19, 2017

    Serverless Security implications—from infra to OWASP

    By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.
  • April 18, 2017

    Maven support is here!

    Last November, we announced that in addition to Node.js support, we were adding support for Ruby. And now it's time to expand yet again. Today we're excited to announce Snyk's support for Java and other Maven supporting languages!
  • April 05, 2017

    Continuously secure all apps with unlimited Snyk projects

    To do security well, you have to do it continuously, and here at Snyk we want to make that easy. That's why we changed our pricing, removing our project limit and letting you protect all your apps with a few small clicks!
  • March 29, 2017

    77% of sites use at least one vulnerable JavaScript library

    The other week a paper was released that reported that about 37% of sites included at least one JavaScript library with a known vulnerability. We ran our own test and discovered that the reality is much worse—76.6% of sites were using at least one vulnerable library.
  • March 21, 2017

    Type Manipulation: Escaping Template Sandboxes

    This is the first of a series of posts about Type Manipulation, each demonstrating one or more real-world vulnerabilities made exploitable by manipulating types, and explaining how it could have been avoided. In this post, we'll focus on using type manipulation to circumvent template-frameworks sandboxes.
  • March 16, 2017

    Building a Snyk Plugin for VS Code: An Interview with Peter Benjamin

    Peter Benjamin recently built a fantastic VS Code plugin or Snyk. We asked him a few questions about the plugin and how and why he built it.
  • March 14, 2017

    Fixing a Prototype Override Protection Bypass Vulnerability in qs

    Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it.
  • March 09, 2017

    The Frequency of Known Vulnerabilities in JavaScript Libraries

    An interesting whitepaper was released at the 2017 NDSS Symposium discussing a large-scale attempt at determining just how vulnerable client-side JavaScript libraries are. We wanted to share some of our thoughts on the report.
  • February 28, 2017

    Announcing Snyk's Integration with Xray

    Today we're excited to announce the integration of the Snyk Vulnerability Database with JFrog's Xray.
  • February 22, 2017

    How Voltos Uses Snyk to Secure Their Own Security Product

    As a security-focused startup, keeping their own application secure is absolutely mission critical for Voltos. In this guest post, Glenn Gillen talks about how Voltos is using Snyk to keep their dependencies free of known vulnerabilities.
  • February 14, 2017

    Fixing XXE Vulnerabilities in Nokogiri

    We recently added a pair of high-severity XML External Entities (XXE) vulnerabilities found in the Nokogiri library to our vulnerability database. This post explains how the vulnerability works and discusses how to fix the exploit in your application.
  • January 31, 2017

    Understanding Responsible Disclosures

    Disclosing vulnerabilities ethically and efficiently is critical to improving the state of security online. In this post we discuss the idea of "responsible disclosures" and why it matters.
  • January 26, 2017

    Building the Gulp Snyk plugin, an interview with Doug Wade

    Doug Wade built a plugin for using Snyk in your Gulp build process. We were really excited to stumble upon the plugin, so we wanted to talk to Doug to hear a little more about it.
  • January 19, 2017

    Introducing pkgbot!

    Today we're open-sourcing, pkgbot—a Slack bot for gathering information about Node and Ruby dependencies.
  • January 17, 2017

    Regular Expression Denial of Service and Catastrophic Backtracking

    The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.
  • January 12, 2017

    Requiring authentication in Snyk CLI

    Since Snyk launched in late 2015, we've supported testing applications anonymously. Today, we released a new version that requires a (free) registration and authenticating before testing. Here's why we did it.
  • January 10, 2017

    The MongoDB hack and the importance of secure defaults

    There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.
  • December 21, 2016

    Building the VSTS Snyk task, an interview with Jesse Houwing

    Jesse Houwing recently published a really helpful Visual Studio Team Services (VSTS) task, making it easier to get Snyk incorporated into your VSTS workflow. We think it's pretty awesome that he built it, so we wanted to learn a bit more about the task and how he did it.
  • December 19, 2016

    Announcing Snyk CLI for Ruby, and more ways to fix Ruby vulnerabilities

    Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby.
  • December 14, 2016

    Differences in version handling between RubyGems and npm

    We recently added support for Ruby projects to Snyk. The difference between version handling in RubyGems and npm presented a few challenges along the way. This blog post describes those differences, the problems they caused, and how we resolved them.
  • November 30, 2016

    Fixing a Remote Code Execution Vulnerability in EJS

    A high-severity remote code execution vulnerability was found in the `EJS` npm package. Here's how it works, and how to fix it.
  • November 21, 2016

    A brief history of modularity

    Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of NPM gave a talk titled "A brief history of modularity", which we felt was particularly relevant to Snyk, and so we thought we'd share a summary of the talk here.
  • November 10, 2016

    Announcing Snyk for Ruby

    After a year of helping Node and npm developers be secure and tuning Snyk's products, we're ready to expand. Today, we're announcing Snyk support for Ruby!
  • November 03, 2016

    Launching Serverless Snyk

    To simplify the task of keeping dependencies in your Serverless application free of known vulnerabilities, we're launching the Serverless Snyk plugin.
  • October 26, 2016

    Building Security Tools Developers Love

    In the latest episode of The Secure Developer, Sabin Thomas and Guy Podjarny discuss the difference between security tools aimed at security people, vs building security tools developers love
  • October 25, 2016

    Yarn is Micro Secure

    Yarn markets itself as “ultra fast”, “super reliable” and “mega secure”. While it’s true that Yarn is often much faster, and that the new lockfile ensures more consistency when your application is installed, the security claims are a little over-optimistic.
  • October 20, 2016

    Fixing Serverless Security Vulnerabilities

    Well over 80% of successful exploits today occur due to unpatched servers. Approaches such as Serverless & PaaS should dramatically reduce the risk of outdated binaries. Unfortunately, this transition does nothing to secure open source code packages.
  • October 12, 2016

    Announcing Snyk for Bitbucket Pipelines

    At Snyk, our goal is to build security tools that easily fit with your existing workflow. This is why we’re excited to announce Snyk for Bitbucket Pipelines, making it easy to stay secure if you’re managing your work with the Atlassian product stack.
  • October 11, 2016

    Launching "The Secure Developer" Podcast

    We all want to build security into our dev process, but how? The new "The Secure Developer" brings dev leads, AppSec thought leaders and security tools builders to share experiences, techniques and tools to help you build security in.
  • September 28, 2016

    Get Snyk security alerts on Slack

    If Slack is your team's go-to communication tool, we have good news: you can now get Snyk's security alerts in Slack!
  • August 31, 2016

    Threat Modelling For Node.js Applications

    What should I defend my application against? Should I deal with Cross-Site Scripting (XSS) attacks? How about SQL injection? Should I protect myself against cross-site request forgery? The short answer is yes. But as always, it's not that simple.
  • August 23, 2016

    Using ES2015 Proxy for fun and profit

    Much has been written about ES2015 - with its arrow functions, scoped variable declarations and controversial classes. However, a certain feature has received little love so far: the Proxy.
  • August 16, 2016

    What DevOps and Open Source Security have in common

    How can we evolve Security as we did Ops into DevOps, who owns open source security and why aren't developers owning security yet? All that and more in this O'Reilly Security podcast episode
  • August 04, 2016

    Engineering is somewhat like basketball

    Great engineering teams ship fast and employ Continuous Delivery practices. Having an agreed time constraint for releases within the team removes obstacles such as complex merges and low quality of code.
  • July 27, 2016

    Enriching bitHound with Snyk

    Snyk partners with bitHound to help its users find vulnerable dependencies and take action!
  • July 20, 2016

    HTTPS Adoption *doubled* this year

    Over 20 years after its incept HTTPS, is finally breaking through. In the last year alone, HTTPS adoption has more than doubled! This is a moment for celebration and learning, and this post digs into the data and the lessons we can learn from it
  • July 13, 2016

    Snyk's Style Guide

    Having a style guide means we can assemble templates more quickly, and we're less likely to unintentionally build the same thing more than once. We use it a lot for referencing colours, or grabbing some markup for a button or checkbox.
  • July 07, 2016

    4 steps to address vulnerable dependencies

    Creating Snyk's GitHub integration, released in late June, helped clarify the different steps to truly address vulnerable dependencies, both immediately and in a continuous fashion. These steps are consistent across packaging systems, from npm to Maven to Chef cookbooks. This post explains each step, why they are needed, and how to apply them with Snyk.
  • June 22, 2016

    Out of Beta, plus exciting new features

    After 343,000 vulnerability tests, 71,000 applied patches and 4,500 alerts, Snyk is ready to graduate out of Beta! In addition, we're launching two exciting new features, GitHub Integration and Organisations, and offering new premium plans - try them out!
  • June 16, 2016

    The 5 dimensions of an npm dependency

    We often talk about the growing number of npm dependencies, and how they make us productive and fast or fragile and insecure. But what exactly is an npm dependency? This post defines the ways to look at an npm dependency.
  • June 08, 2016

    Fixing SQL Injection: ORM is not enough

    Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.
  • June 02, 2016

    5 Ways to Get Node.js Vulnerability Alerts

    Get notifications about new vulnerabilities in Node.js and front-end npm packages via Slack, email, Twitter, Trello or text messages.
  • May 16, 2016

    Fixing `marked` XSS vulnerability

    A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.
  • May 06, 2016

    Mitigating ImageMagick vulnerabilities in Node.js

    Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe, which disables the vulnerable features, protecting against the known exploits.
  • April 20, 2016

    Free vulnerability testing and monitoring for public GitHub projects

    Test for vulnerabilities — and then monitor — any public Node.js GitHub repo.
  • April 05, 2016

    Exploiting Buffer

    Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. In this post, we’ll explain how Buffer works, show a sample vulnerability and exploit, and explain how you can protect your own application.
  • March 27, 2016

    How to prevent malicious packages

    Last week, CERT alerted users to the risk of publishing or consuming a malicious npm package. This important risk is not unique to npm, but it is more likely to happen in this ecosystem. This post explains the risk and how you can protect yourself.
  • March 22, 2016

    Testing for unpublished packages

    Yesterday, Azer Koçulu unpublished a large number of popular packages. Unpublishing allowed malicious actors to grab those package names, and get an immediate footprint on many applications across the web. We modified our tool to help you detect whether your dependencies are exposed to this risk.
  • February 25, 2016

    Tackling the new npm@3 dependency tree

    Until recently Snyk's CLI tool only supported npm@2. That all changed when we released snyk@1.9.0 and added full support for the new npm@3 directory structures. In this post, Remy shares some of the technical challenges involved and the new tooling that came out of the process.
  • February 16, 2016

    Using Node.js Event Loop for Timing Attacks

    A little over 3 years ago, a few friends and I started a group called pasten to participate in the Chaos Computer Club's Capture The Flag (CTF) competition. It is a jeopardy style CTF, where the participating teams need to solve security related challenges in various categories such as exploitation, reverse engineering, web, forensic & crypto.
  • December 14, 2015

    Keeping your Open Source credentials closed

    Earlier this month, a researcher named ChALkeR shared his research on leaked credentials in npm packages. The findings showed credentials, such as npm and GitHub tokens and passwords, are frequently included in published npm packages or GitHub repositories. In fact, 13 of the top 15 npm packages depend on packages that leaked credentials, thus exposing their users.
  • December 03, 2015

    Launching Snyk

    I'm excited to announce Snyk is now live! Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.
  • July 10, 2015

    10 Reasons To Use HTTPS

    HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.