Application Security

Want to impress your boss with your security knowledge? Stay up to date by learning why application security is important and how you can improve.

Java configuration: how to prevent security misconfigurations

Java configuration is everywhere. With all the application frameworks that the Java ecosystem has, proper configuration is something that is overlooked easily. However, thinking about Java configuration can also end up in a security issue if it is done in the wrong way. We call this misconfiguration. Security misconfiguration is part of the infamous OWASP […]

February 26, 2021

Shifting left security incident management with the Snyk & Opsgenie integration

We’re excited to announce a new integration with Opsgenie, making it easier to further integrate security into existing incident management and operations workflows. This integration is based on Snyk’s new custom webhooks API beta release announced last week. We often tout the benefits of modern software development and digital transformation as cloud computing, containers, DevSecOps […]

February 24, 2021

How to choose a Software Composition Analysis (SCA) tool

Whether you’re a developer or a security engineer, Software Composition Analysis—or SCA for short—is a term you will start to hear of more and more. If you haven’t already, that is.  The reason for this is simple.  Your company is increasingly relying on open source software and containers to develop its applications and by doing […]

February 22, 2021

AWS vulnerability scanning using the Snyk integration

If you’re using the AWS suite of Kubernetes related tools, you’ll be pleased to know that you can scan with Snyk directly into your workflows there too with integrations into Amazon Elastic Container Registry ( ECR ) and Amazon Elastic Kubernetes Service ( EKS ). Here’s how to get started! During this post I’m going […]

February 10, 2021

Go security cheatsheet: 8 security best practices for Go developers

In this installment of our cheatsheet series, we’re going to cover eight Go security best practices for Go developers. The Go language incorporates many built-in features that promote safer development practices—compared to older and lower-level languages like C—such as memory garbage collection and strongly-typed pointers.  These features help developers avoid bugs that can lead to […]

February 9, 2021

Identify, prioritize, and fix vulnerabilities with Reachable Vulnerabilities for GitHub

Imagine you are a Java programmer and that you just decided you want to use Snyk Open Source scanning to help you find security problems in your third party libraries. Good call!  However, after connecting your repository to the Snyk Open Source scanner, you find out that you have ten or maybe even 50 vulnerabilities […]

January 28, 2021

Prioritize fixes more efficiently with Reachable Vulnerabilities for GitHub

We are pleased to start the new year with the beta availability of Reachable Vulnerabilities for GitHub, providing development and security teams with deep application-level context for vulnerabilities identified in GitHub-hosted applications and enabling them to prioritize fixes more efficiently. Announced in July last year, Reachable Vulnerabilities analyzes an application’s execution path to identify whether […]

January 21, 2021

Cache poisoning in popular open source packages

Following research done by James Kettle from PortSwigger on web cache poisoning, Snyk’s Security Team decided to deepen our knowledge in this field and to explore these vulnerabilities in the open source domain. We focused our research on the most popular web frameworks both in npm and PyPi, such as Flask (Werkzeug), Bottle, Tornado, and […]

January 18, 2021

Security concerns of third-party JavaScript scripts

In their web security talk at SnykCon 2020, Liran Tal and Eric Graham discussed frontend security considerations regarding the frontend attack surface. They portrayed the risks stemming from security vulnerabilities found in third party dependencies, and then continued to broaden the potential security risk through marketing added third party scripts such as Google’s Tag Manager. […]

December 17, 2020

How do we secure Infrastructure as Code tools?

As its name indicates, Infrastructure as Code (IaC) is the practice of defining the infrastructure your applications run on as code and configuration files.  This allows us to not only automate the provisioning of the resources but also to subject it to the same lifecycle processes that historically have applied only to the application codebase.  […]

November 27, 2020

Command injection: how it works, what are the risks, and how to prevent it

How do command injection attacks work? To understand programming flaws related to OS command injection attacks, let’s explore a variety of command injection vulnerabilities that were discovered in Node.js based applications. systeminformation is an Operating System (OS) information library that spans more than 500,000 downloads a week with regular maintenance (commits) and a community around […]

November 24, 2020