Application Security

Want to impress your boss with your security knowledge? Stay up to date by learning why application security is important and how you can improve.

New years resolution: Don’t show my security tokens when hacking my demo application on stage

My new year's resolution for 2022 is: Don't expose confidential information while I hack my applications during demos or presentations...

January 12, 2022

The Secure Developer: 2021 in review

On the year end episode of The Secure Developer, Guy sat down with Snyk Field CTO Simon Maple to discuss the themes, advice, and future expectations that appeared in this year’s episodes.

January 12, 2022

URL confusion vulnerabilities in the wild: Exploring parser inconsistencies

In this post, we will take a look at the history of URLs, explore possible sources of URL parser confusion, run through an exploit POC, and then provide recommendations for keeping yourself safe from URL confusion based attacks.

January 10, 2022

Open source maintainer pulls the plug on npm packages colors and faker, now what?

Snyk issued a Denial of Service security vulnerability for colors@1.4.1, following this vulnerable code. We highly recommend you revert to colors@1.4.0, and pin your dependencies’ versions to avoid blind upgrades of the offending version. We also recommend you migrate to a different package.

January 9, 2022

FTC highlights the importance of securing Log4j and software supply chain

Earlier this week, the FTC issued a warning to companies regarding the Log4j vulnerability. Given the rampant exploitation of the recently discovered vulnerabilities in this ubiquitous open source logging package, it’s encouraging to see the agency take this rare step, beginning to form a firm stance on software supply chain security.  Although this increased scrutiny

January 7, 2022

Developer security resolutions for 2022

Learn more about five of our developer security resolutions for 2022

January 5, 2022

Log4Shell webinar: What you need to know

Here’s a recap of our latest Log4Shell webinar about mitigating the Log4j vulnerability.

January 4, 2022

New Log4j 2.17.1 fixes CVE-2021-44832 remote code execution (but it’s not as bad as it sounds)

As previously predicted to unfold, at approximately 7:35 PM GMT, 28th of December 2021, another security vulnerability impacting the Log4j logging library was published as CVE-2021-44832.  This new CVE-2021-44832 security vulnerability is affecting versions up to 2.17.0, which was previously thought to be fixed. This vulnerability is similar in nature to CVE-2021-4104 which affected the

December 28, 2021

Snyk Code in 2021: Redefining SAST

Starting in early 2021, Snyk Code became available as a freemium offering for Snyk users. Snyk Code helps developers quickly and accurately find, prioritize, and fix security flaws in proprietary code. With detailed remediation guidance at every stage of the software development lifecycle (SDLC), from the developer’s environment (IDE) to continuous integration and development (CI/CD)

December 21, 2021

Snyk makes it easier to fix Log4Shell with extended free scans

Due to the recently discovered Log4Shell vulnerability, and to support the tremendous effort being mounted by the community to address it, we are happy to announce that we are increasing the free test limit in Snyk Open Source! This means that any developer, no matter the company or project, can now use Snyk Open Source

December 20, 2021

Log4j 2.16 High Severity Vulnerability (CVE-2021-45105) Discovered

Overnight, it was disclosed by Apache that Log4j version 2.16 is also vulnerable by way of a Denial of Service attack with the impact being a full application crash, the severity for this is classified as High (7.5). Snyk is currently not aware of any fully-fledged PoCs or exploits in circulation. CVE-2021-45105 has been issued,

December 18, 2021