Snyk Blog

Blog posts about security, and more, from Snyk.
  • Anna Debenham's avatar Anna Debenham

    Ignoring security issues shouldn't be the default action, but it is sometimes necessary. Snyk only validates vulnerabilities that exist in dependent components, so it has a relatively low false-positive rate (which should reduce the need to ignore), but there are still reasons why you may wish to suppress an issue.

  • Guy Podjarny's avatar Guy Podjarny

    A vulnerability is a vulnerability, whether known or not. The key difference between the two is the likelihood of an attacker to be aware of this vulnerability, and thus try to exploit it.

  • You can't go to a security event nowadays and not hear at least a few speakers say the phrase "DevSecOps". The term has turned into a rallying cry for an approach that automates security throughout the development process. But in order for DevSecOps to succeed, it will first have to die.

  • Danny Grander's avatar Danny Grander

    The best solution for known vulnerabilities is to upgrade your software. But sometimes there's not a security update immediately available. The next best solution is to patch your software. In this post, we go through four ways to find security patches for open source software.

  • Open source maintainers give up their own time to create great pieces of free software, which we then use to create business value. In our State of Open Source Security Report, open source consumers and maintainers were asked about their security expertise, actions and sense of ownership—and the results were very mixed.

  • Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.

  • Stop building security tools that think about dev, and start building dev tools that handle security.

  • The Snyk API gives you access to all the issues associated with a given project. In this post, you'll learn how to use the API to fetch the organisations you have access to, the projects for a given organisation, and all the issues for a given project.

  • Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we're taking another leap forward and launching support for .NET, Go and PHP!

  • The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we'll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependecies.

  • Bower is no longer the dependency manager of choice for front-end projects. While the open source project is still maintained, its creators decided to deprecate it, and have advised how to migrate to other solutions. In this post, we explain why Bower used to be great, list six reasons why it isn't necessary anymore, and explain how to move on to newer and better technologies.

  • Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. In this post, we take a deep dive into that problem space.

  • Today we're excited to launch the 2017 State of Open Source Security Report! The full report is available as a free PDF, and the highlights are collected online.

  • Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.

  • Geva Solomonovich's avatar Geva Solomonovich

    One of the biggest bottlenecks in security is 'triaging'—the process of validating if a security alert is actually impacting your organization, sizing up the estimated impact, and figuring out how to resolve it. In this article, we'll make the case that we should all be striving to skip triaging and focus on fixing vulnerabilities instead.

  • In this post we review and compare the Apache, BSD and MIT license to see what to use in your own project, and when.

  • Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome's Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site is.

  • Earlier this year we ran a test on the top 5,000 URL's on the web and found that 76.6% of them were running a JavaScript library with at least one known security vulnerability. It's a frighteningly large number. That's why we're proud to announce that Snyk now powers the vulnerable JavaScript libraries linter in Microsoft's Sonar—an open-source linting tool for developers.

  • Danny Grander's avatar Danny Grander

    Python 3 and Python 2 have various functional differences. On their own, they’re not necessarily better or worse (though arguably Python 3 should be an improvement), but any change may introduce risk. This post highlights and explains a few differences between the versions that have security implications.

  • Geva Solomonovich's avatar Geva Solomonovich

    Where just a few months ago we launched Snyk for Serverless, we are now taking it to the next level by launching the Snyk Heroku Add-On. The add-on is currently in beta, which means it's free to try out! We're looking for people to take it for a test drive and provide us with some feedback.

  • Ellen Van Keulen's avatar Ellen Van Keulen

    After years of preparation and debate, the General Data Protection Regulation (GDPR) was finally approved by the EU with enforcement starting as early as May 2018, at which time those organisations in non-compliance will face heavy fines. In this post we explain how that impacts companies using open-source and how they can protect themselves.

  • Earlier this week, we kicked off The State of Open Source Security survey. Our goal is to help all of us understand where we stand when it comes to building and consuming open source in a way that keeps us and the data we hold safe.

  • Aner Mazur's avatar Aner Mazur

    Today we're happy to announce the great features we’ve added for the teams developing and securing software within the Enterprise. We especially focus on Enterprises who recognise that security should be included as early as possible and throughout the developer lifecycle, who want it to be incredibly easy for both their development teams and security teams to use, and who want their developers to fix vulnerabilities, not just find them.

  • Equifax, a credit monitoring giant, disclosed last week it was breached, exposing highly personal data of _143 million_ people. The breach root cause was a vulnerable version of an open source library called Struts. How can you handle such vulnerable libraries in your apps?

  • With Snyk support for Bitbucket Server now out of beta, you can tightly integrate Snyk with your Atlassian workflow from start to finish—from easily monitoring your projects, to integration with Bitbucket pipelines and even JIRA Software ticket creation.

  • Since we launched nearly two years ago, Snyk has been focused on making it easier to use open-source code without compromising security. Today, we're taking another leap forward and launching support for Scala, Python and Gradle!

  • Running `snyk test` out of the box will scan your application's dependencies and test to see if any of them contain known vulnerabilities. In this post, we discuss how you can customize the results using the `--json` option a few free tools.

  • Today we're happy to announce that we've launched support for testing Cloud Foundry applications for known vulnerabilities in your deployed code! Find us at Cloud Foundry Summit for a first-hand demo.

  • Guy Podjarny's avatar Guy Podjarny

    It’s been over 10 years since Cross Site Scripting (XSS) became big news, awareness has grown and defenses have become much more sophisticated. But, as we show in this post, recent data indicates XSS attacks are only increasing.

  • Guy Podjarny's avatar Guy Podjarny

    Hot on the heels of the launch of Snyk serverless integration for Heroku and AWS Lambda, we are launching our next integration with Bitbucket Server, Atlassian’s Git solution for professional teams. The integration is currently in beta, and we're looking for people to take it for a test drive and provide us with some feedback.

  • Snyk Enterprise is now available on the UK government G-Cloud digital marketplace! Government services can now easily use Snyk to protect their applications against known vulnerabilities in their dependencies—an increasingly important consideration.

  • The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals, but it doesn't currently take into account how often those vulnerabilities are used by hackers. We dug through security breach records to see which vulnerabilities are exploited most frequently.

  • Today Guy Podjarny had the pleasure of presenting at the amazing ServerlessConf in Austin, Texas about security in a serverless world. Here are the slides from his talk, "Serverless Security: What's Left to Secure?"

  • Guy Podjarny's avatar Guy Podjarny

    Today we're excited to announce Snyk's new solution for securing your serverless functions, designed to easily integrate and protect serverless-based applications! The initial launch features tight integration with both AWS Lambda and Heroku. We're also working closely with Google, Red Hat and others to integrate directly with their platforms in the coming months.

  • By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.

  • Guy Podjarny's avatar Guy Podjarny

    Last November, we announced that in addition to Node.js support, we were adding support for Ruby. And now it's time to expand yet again. Today we're excited to announce Snyk's support for Java and other Maven supporting languages!

  • To do security well, you have to do it continuously, and here at Snyk we want to make that easy. That's why we changed our pricing, removing our project limit and letting you protect all your apps with a few small clicks!

  • The other week a paper was released that reported that about 37% of sites included at least one JavaScript library with a known vulnerability. We ran our own test and discovered that the reality is much worse—76.6% of sites were using at least one vulnerable library.

  • This is the first of a series of posts about Type Manipulation, each demonstrating one or more real-world vulnerabilities made exploitable by manipulating types, and explaining how it could have been avoided. In this post, we'll focus on using type manipulation to circumvent template-frameworks sandboxes.

  • Peter Benjamin recently built a fantastic VS Code plugin or Snyk. We asked him a few questions about the plugin and how and why he built it.

  • Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it.

  • An interesting whitepaper was released at the 2017 NDSS Symposium discussing a large-scale attempt at determining just how vulnerable client-side JavaScript libraries are. We wanted to share some of our thoughts on the report.

  • Geva Solomonovich's avatar Geva Solomonovich

    Today we're excited to announce the integration of the Snyk Vulnerability Database with JFrog's Xray.

  • As a security-focused startup, keeping their own application secure is absolutely mission critical for Voltos. In this guest post, Glenn Gillen talks about how Voltos is using Snyk to keep their dependencies free of known vulnerabilities.

  • We recently added a pair of high-severity XML External Entities (XXE) vulnerabilities found in the Nokogiri library to our vulnerability database. This post explains how the vulnerability works and discusses how to fix the exploit in your application.

  • Disclosing vulnerabilities ethically and efficiently is critical to improving the state of security online. In this post we discuss the idea of "responsible disclosures" and why it matters.

  • Doug Wade built a plugin for using Snyk in your Gulp build process. We were really excited to stumble upon the plugin, so we wanted to talk to Doug to hear a little more about it.

  • Karen Yavine's avatar Karen Yavine

    Today we're open-sourcing, pkgbot—a Slack bot for gathering information about Node and Ruby dependencies.

  • The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.

  • Guy Podjarny's avatar Guy Podjarny

    Since Snyk launched in late 2015, we've supported testing applications anonymously. Today, we released a new version that requires a (free) registration and authenticating before testing. Here's why we did it.

  • There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.

  • Jesse Houwing recently published a really helpful Visual Studio Team Services (VSTS) task, making it easier to get Snyk incorporated into your VSTS workflow. We think it's pretty awesome that he built it, so we wanted to learn a bit more about the task and how he did it.

  • Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby.

  • We recently added support for Ruby projects to Snyk. The difference between version handling in RubyGems and npm presented a few challenges along the way. This blog post describes those differences, the problems they caused, and how we resolved them.

  • A high-severity remote code execution vulnerability was found in the `EJS` npm package. Here's how it works, and how to fix it.

  • Josh Emerson's avatar Josh Emerson

    Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of NPM gave a talk titled "A brief history of modularity", which we felt was particularly relevant to Snyk, and so we thought we'd share a summary of the talk here.

  • Guy Podjarny's avatar Guy Podjarny

    After a year of helping Node and npm developers be secure and tuning Snyk's products, we're ready to expand. Today, we're announcing Snyk support for Ruby!

  • Tim Kadlec's avatar Tim Kadlec

    To simplify the task of keeping dependencies in your Serverless application free of known vulnerabilities, we're launching the Serverless Snyk plugin.

  • In the latest episode of The Secure Developer, Sabin Thomas and Guy Podjarny discuss the difference between security tools aimed at security people, vs building security tools developers love

  • Tim Kadlec's avatar Tim Kadlec

    Yarn markets itself as “ultra fast”, “super reliable” and “mega secure”. While it’s true that Yarn is often much faster, and that the new lockfile ensures more consistency when your application is installed, the security claims are a little over-optimistic.

  • Well over 80% of successful exploits today occur due to unpatched servers. Approaches such as Serverless & PaaS should dramatically reduce the risk of outdated binaries. Unfortunately, this transition does nothing to secure open source code packages.

  • At Snyk, our goal is to build security tools that easily fit with your existing workflow. This is why we’re excited to announce Snyk for Bitbucket Pipelines, making it easy to stay secure if you’re managing your work with the Atlassian product stack.

  • We all want to build security into our dev process, but how? The new "The Secure Developer" brings dev leads, AppSec thought leaders and security tools builders to share experiences, techniques and tools to help you build security in.

  • Johanna Kollmann's avatar Johanna Kollmann

    If Slack is your team's go-to communication tool, we have good news: you can now get Snyk's security alerts in Slack!

  • What should I defend my application against? Should I deal with Cross-Site Scripting (XSS) attacks? How about SQL injection? Should I protect myself against cross-site request forgery? The short answer is yes. But as always, it's not that simple.

  • Much has been written about ES2015 - with its arrow functions, scoped variable declarations and controversial classes. However, a certain feature has received little love so far: the Proxy.

  • How can we evolve Security as we did Ops into DevOps, who owns open source security and why aren't developers owning security yet? All that and more in this O'Reilly Security podcast episode

  • Great engineering teams ship fast and employ Continuous Delivery practices. Having an agreed time constraint for releases within the team removes obstacles such as complex merges and low quality of code.

  • Guy Podjarny's avatar Guy Podjarny

    Snyk partners with bitHound to help its users find vulnerable dependencies and take action!

  • Guy Podjarny's avatar Guy Podjarny

    Over 20 years after its incept HTTPS, is finally breaking through. In the last year alone, HTTPS adoption has more than doubled! This is a moment for celebration and learning, and this post digs into the data and the lessons we can learn from it

  • Anna Debenham's avatar Anna Debenham

    Having a style guide means we can assemble templates more quickly, and we're less likely to unintentionally build the same thing more than once. We use it a lot for referencing colours, or grabbing some markup for a button or checkbox.

  • Creating Snyk's GitHub integration, released in late June, helped clarify the different steps to truly address vulnerable dependencies, both immediately and in a continuous fashion. These steps are consistent across packaging systems, from npm to Maven to Chef cookbooks. This post explains each step, why they are needed, and how to apply them with Snyk.

  • After 343,000 vulnerability tests, 71,000 applied patches and 4,500 alerts, Snyk is ready to graduate out of Beta! In addition, we're launching two exciting new features, GitHub Integration and Organisations, and offering new premium plans - try them out!

  • Guy Podjarny's avatar Guy Podjarny

    We often talk about the growing number of npm dependencies, and how they make us productive and fast or fragile and insecure. But what exactly is an npm dependency? This post defines the ways to look at an npm dependency.

  • Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.

  • Get notifications about new vulnerabilities in Node.js and front-end npm packages via Slack, email, Twitter, Trello or text messages.

  • Guy Podjarny's avatar Guy Podjarny

    A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.

  • Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe, which disables the vulnerable features, protecting against the known exploits.

  • Test for vulnerabilities — and then monitor — any public Node.js GitHub repo.

  • Guy Podjarny's avatar Guy Podjarny

    Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. In this post, we’ll explain how Buffer works, show a sample vulnerability and exploit, and explain how you can protect your own application.

  • Guy Podjarny's avatar Guy Podjarny

    Last week, CERT alerted users to the risk of publishing or consuming a malicious npm package. This important risk is not unique to npm, but it is more likely to happen in this ecosystem. This post explains the risk and how you can protect yourself.

  • Guy Podjarny's avatar Guy Podjarny

    Yesterday, Azer Koçulu unpublished a large number of popular packages. Unpublishing allowed malicious actors to grab those package names, and get an immediate footprint on many applications across the web. We modified our tool to help you detect whether your dependencies are exposed to this risk.

  • Until recently Snyk's CLI tool only supported npm@2. That all changed when we released snyk@1.9.0 and added full support for the new npm@3 directory structures. In this post, Remy shares some of the technical challenges involved and the new tooling that came out of the process.

  • A little over 3 years ago, a few friends and I started a group called pasten to participate in the Chaos Computer Club's Capture The Flag (CTF) competition. It is a jeopardy style CTF, where the participating teams need to solve security related challenges in various categories such as exploitation, reverse engineering, web, forensic & crypto.

  • Earlier this month, a researcher named ChALkeR shared his research on leaked credentials in npm packages. The findings showed credentials, such as npm and GitHub tokens and passwords, are frequently included in published npm packages or GitHub repositories. In fact, 13 of the top 15 npm packages depend on packages that leaked credentials, thus exposing their users.

  • Guy Podjarny's avatar Guy Podjarny

    I'm excited to announce Snyk is now live! Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.

  • Guy Podjarny's avatar Guy Podjarny

    HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications