Application Security

Want to impress your boss with your security knowledge? Stay up to date by learning why application security is important and how you can improve.

How to increase Serverless observability, monitoring and security

Functions are often short-lived and deployed in large numbers and are invoked more and more frequently as you scale. For these reasons, it is easy to lose track of the flow of events or to pinpoint the root cause for any given error. On top of that, as serverless adoption grows for an organization, it […]

July 15, 2019

Concerns of supply-chain attacks amplify as remote code execution was found in Ruby gem strong_password

On July 5th, 2019, the CVE-2019-13354 security advisory was published for a malicious version of the strong_password Ruby gem which allows for remote code execution in applications bundling the vulnerable dependency. We have already added the vulnerability to our database, and if your Ruby project is being monitored by Snyk, you will have already been […]

July 6, 2019

Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash

On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team. UPDATE: lodash published version 4.17.12 on July 9th which includes Snyk fixes and remediates the vulnerability. We strongly recommend you update to […]

July 4, 2019

Serverless is great, but what about the security of my AWS Lambda functions and their dependencies?

Function as a Service (FaaS) platforms patch your operating system dependencies for you, but do nothing to secure your application dependencies, such as those pulled from npm, PyPI, Maven and the likes. These libraries are just as prevalent and just as vulnerable as operating system dependencies, and you—the application owner—are responsible for upgrading or patching […]

July 3, 2019

New O’Reilly Book: Securing Open Source Libraries by Guy Podjarny

Snyk has partnered with O’Reilly to offer a new book

July 2, 2019

Yet another malicious package found in npm, targeting cryptocurrency wallets

Cryptocurrency wallet developer Komodo has been in the news recently as the most recent victim of an attempted cryptocurrency attack by malicious code injection via npm dependencies. The EasyDEX-GUI project which provides a graphical user interface (GUI) to SuperNET/Iguana cryptocurrency APIs and is used by Komodo’s Agama wallet has been found to contain a malicious […]

June 17, 2019

Best practices for secrets management in serverless applications

If you’re building a serverless application, chances are that your functions need to access secrets or other types of sensitive information that you’re storing, such as API keys, tokens, or passwords. However, managing these secrets properly may sometimes prove to be a difficult task. When users fail to adopt a key management service, these secrets, […]

June 13, 2019

10 Serverless security best practices

10 serverless security best practices for securing your serverless and cloud functions, from managing secrets, to data security, function isolation, least privileges and many more!

May 31, 2019

Java Top 10 Security Vulnerabilities Disclosed [2019 – List]

Our friends at OverOps post a yearly blog listing the popularity of Java libraries, based on GitHub mentions. Accordingly, in this post, we’ll take a look at the vulnerabilities that have been found in the top ten Java libraries picked by OverOps, and focus on three of them in more depth. Firstly, following are the […]

May 27, 2019

Scoring security vulnerabilities 101: Introducing CVSS for CVEs

Similar to how software bugs are triaged for a severity level, so are security vulnerabilities, as they need to be assessed for impact and risk, which aids in vulnerability management. The Forum of Incident Response and Security Teams (FIRST) is an international organization of trusted security computer researchers and scientists that have received the task […]

May 16, 2019

CRLF injection found in popular Python dependency, urllib3

On April 18, 2019 a CRLF injection vulnerability was found in the popular Python library, urllib3. The urllib3 library is an HTTP client for Python that includes valuable features such as thread safety, connection pooling, client-side SSL/TLS verification, and more. It is used widely in the Python ecosystem, including within requests, another popular library. In […]

May 15, 2019