2020 Q4 in review—iOS remote code execution, developer-first SAST, and more
In this fourth installment of the Snyk Blog year in review, we’ll be covering some of our key announcements and news that hit the blog in October, November, and December rounding off a year of content. Previously, we’ve highlighted three posts in each quarter ranging from Angular best practices to two rounds of funding and an acquisition – it’s been quite the year already! We’ll start with a post which we alluded to in our previous post.
SEE ALSO: 2020 Q1 in review—JVM ecosystem report, DevSecOps insights, and more
As mentioned in the third quarter post, there were two disclosures that were due to us finding some suspicious activity from the Sourmint SDK on both the iOS and Android platforms. Initially, our first blog post back in August only detailed malicious behavior we caught in the iOS version of the SDK, and this was mostly around Ad fraud and data leaks. However, in October we disclosed new findings that showed a remote code execution was possible on iOS that could be exploited by ad banners or Mintegral themselves. Additionally, the Android SDK was also found to contain malicious code that could leak sensitive data. This is demonstrated in the video below:
The blog covered the notable community reactions, including some monetization platforms, like MoPub, now listing Mintegral as a deprecated network, suggesting it should be “removed from all inventory segments and line items. Singular, a Mobile Measurement Provider (MMP), analyzed the behavior and found evidence of click hijacking activity in some SDK-based networks, and compared the rate of suspicious activity before and after our publication.
What they found was that before our disclosure, those apps showed a significant level of suspected hijacked clicks. However, after our disclosure was made public, they observed a dramatic decrease in fake clicks that happened within less than 24 hours from the publication time, as shown below:
SEE ALSO: 2020 Q2 in review—State of Open Source Security report, DevSecOps Hub, and more
October 2020: Announcing developer-first SAST with Snyk Code
In our previous post, we alluded to a spoiler of Snyk’s new developer-first SAST product called Snyk Code. However at the time the acquisition was announced, while many correctly guessed this was our intention, it was not fully publicised. However, at our inaugural SnykCon event, during the opening day keynote, Guy Podjarny talked about the new product, like a proud new father. “What is SAST?” I hear you say! Well, for the average developer it may not be a familiar term that’s commonly used. SAST, stands for Static Application Security Testing, and is a type of testing that can identify vulnerabilities found in your application’s code. This is different to Software Composition Analysis, or SCA testing, which finds known vulnerabilities in the dependencies that your application uses. Scanning both your application code and the dependencies your application uses is a complementary approach to achieve much better security coverage of your overall application.
However, this isn’t the limit of what we should test for at all, particularly when we think about how a modern application is architected and developed. If you’re creating a cloud native application, you’re more than likely also writing Dockerfiles, that describe the container your application will be deployed in, as well as any infrastructure as code that is needed to deploy and configure your application’s environment. All of this needs to be considered by the developer writing and maintaining this code and configuration, and a real cloud native application platform that performs testing, not just for the application code and dependencies, but also your container dependencies and insecure defaults in your infrastructure as code scripts. If you feel like I’m describing your development environments, you should check out the tooling that Snyk provides which can cover your security needs for all of these aspects of your cloud native applications.
SEE ALSO: 2020 Q3 in review—Snyk & DeepCode, Angular security best practices, and more
The final posts that we’ll highlight in the 2020 round-up cover our SnykCon event. In fact, they’re round up posts, which are mentioned by this blog, a roundup post itself. There were a number of great announcements at SnykCon, some we’ve already mentioned previously, including of course the Snyk Code product announcement. There was one announcement that I think made many of us very proud to be a snyker, which was when we said we had achieved CarbonNeutral® status through The CarbonNeutral Protocol, the leading international guideline for sustainability. Using a combination of organizational efficiency activities, external emissions reduction projects, and renewable energy investment, we will work to offset our carbon footprint of 2,400 metric tons. This is such an important time to not just seriously talk about these problems that affect us all, but to actually act upon them. I’m glad to say I work for a company that doesn’t just take this seriously but is an official CarbonNeutral organization!
There were many great new product features that had been added recently. One that caught my eye and that always receives great interest from developers is the ability to detect Dockerfiles directly from source code repositories, like GitHub. This is a really important step in order to gain adoption of security testing from developers, by making sure that security scanning and testing is accessible and integrated into developer tools.
Another really strategic and important announcement jointly made by Snyk CEO, Peter McKay and Docker CEO, Scott Johnston, was the partnership between the two companies. They announced that Snyk is now the exclusive provider of security insights for Docker Official images and other future content certification programs. Johnston explained that Snyk security insights serve as an essential checkpoint to help developers verify that images are well-maintained and secure.
There’s so much more great content that was all recorded from SnykCon, so I very much encourage you to take a look at the videos available on the Snyk site.
As with previous blogs, there are a number that didn’t quite make the highlights we picked out, but that doesn’t mean you shouldn’t check them out! These include our Snyk support in the popular JHipster application generator platform. Also, we released a slick-looking Snyk developer community which can be found at https://community.snyk.io. Following on from our Angular security best practices cheat sheet, we couldn’t not write one for the React framework too! And finally, but by no means least, we updated our popular Snyk CLI cheat sheet adding updates that include our container support.
And with that, we wish you a safe and happy end of year. Keep an eye out for more great content on the Snyk Blog in 2021!