Application Security
Want to impress your boss with your security knowledge? Stay up to date by learning why application security is important and how you can improve.
Java configuration: how to prevent security misconfigurations
Java configuration is everywhere. With all the application frameworks that the Java ecosystem has, proper configuration is something that is overlooked easily. However, thinking about Java configuration can also end up in a security issue if it is done in the wrong way. We call this misconfiguration. Security misconfiguration is part of the infamous OWASP […]
Shifting left security incident management with the Snyk & Opsgenie integration
We’re excited to announce a new integration with Opsgenie, making it easier to further integrate security into existing incident management and operations workflows. This integration is based on Snyk’s new custom webhooks API beta release announced last week. We often tout the benefits of modern software development and digital transformation as cloud computing, containers, DevSecOps […]
How to choose a Software Composition Analysis (SCA) tool
Whether you’re a developer or a security engineer, Software Composition Analysis—or SCA for short—is a term you will start to hear of more and more. If you haven’t already, that is. The reason for this is simple. Your company is increasingly relying on open source software and containers to develop its applications and by doing […]
AWS vulnerability scanning using the Snyk integration
If you’re using the AWS suite of Kubernetes related tools, you’ll be pleased to know that you can scan with Snyk directly into your workflows there too with integrations into Amazon Elastic Container Registry ( ECR ) and Amazon Elastic Kubernetes Service ( EKS ). Here’s how to get started! During this post I’m going […]
Go security cheatsheet: 8 security best practices for Go developers
In this installment of our cheatsheet series, we’re going to cover eight Go security best practices for Go developers. The Go language incorporates many built-in features that promote safer development practices—compared to older and lower-level languages like C—such as memory garbage collection and strongly-typed pointers. These features help developers avoid bugs that can lead to […]
Identify, prioritize, and fix vulnerabilities with Reachable Vulnerabilities for GitHub
Imagine you are a Java programmer and that you just decided you want to use Snyk Open Source scanning to help you find security problems in your third party libraries. Good call! However, after connecting your repository to the Snyk Open Source scanner, you find out that you have ten or maybe even 50 vulnerabilities […]
Prioritize fixes more efficiently with Reachable Vulnerabilities for GitHub
We are pleased to start the new year with the beta availability of Reachable Vulnerabilities for GitHub, providing development and security teams with deep application-level context for vulnerabilities identified in GitHub-hosted applications and enabling them to prioritize fixes more efficiently. Announced in July last year, Reachable Vulnerabilities analyzes an application’s execution path to identify whether […]
Cache poisoning in popular open source packages
Following research done by James Kettle from PortSwigger on web cache poisoning, Snyk’s Security Team decided to deepen our knowledge in this field and to explore these vulnerabilities in the open source domain. We focused our research on the most popular web frameworks both in npm and PyPi, such as Flask (Werkzeug), Bottle, Tornado, and […]
Security concerns of third-party JavaScript scripts
In their web security talk at SnykCon 2020, Liran Tal and Eric Graham discussed frontend security considerations regarding the frontend attack surface. They portrayed the risks stemming from security vulnerabilities found in third party dependencies, and then continued to broaden the potential security risk through marketing added third party scripts such as Google’s Tag Manager. […]
How do we secure Infrastructure as Code tools?
As its name indicates, Infrastructure as Code (IaC) is the practice of defining the infrastructure your applications run on as code and configuration files. This allows us to not only automate the provisioning of the resources but also to subject it to the same lifecycle processes that historically have applied only to the application codebase. […]
Command injection: how it works, what are the risks, and how to prevent it
How do command injection attacks work? To understand programming flaws related to OS command injection attacks, let’s explore a variety of command injection vulnerabilities that were discovered in Node.js based applications. systeminformation is an Operating System (OS) information library that spans more than 500,000 downloads a week with regular maintenance (commits) and a community around […]