DevSecOps

Yes, DevSecOps is a buzz-word, but it’s an important one! Security has an important part to play in application lifecycles and workflows. Learn how you can best integrate security into your existing pipelines.

Add a SECURITY.md file to your Azure Repos

The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 4. Add a SECURITY.md file to your Azure Repos It’s natural for most project owners and maintainers to add a README.md for their repository. In fact, these days it’s expected and it’s quite frowned […]

May 6, 2019

Use Personal Access Tokens with Azure Repos

Two-Factor Authentication (2FA) adds an additional level of security to your account by requiring not just a username and password, but also a unique code from an authenticator application or sent to you by SMS. This ensures that even if your password is compromised, an attacker can't login to your account without also having your cell phone.

May 6, 2019

Add security testing to pull requests in Azure Repos

By adding Snyk’s native integration with Azure Repos, each pull request will be tested to ensure new vulnerabilities aren’t introduced into the code base. Policies can be defined to configure the severity level of a vulnerability that fails the merge. The following image displays a failed PR due to new vulnerabilities that it would have added:

May 6, 2019

Rotate Azure Repos SSH keys and personal access tokens

Azure Repos access is typically done using SSH keys or personal access tokens (in lieu of a password). But what happens if those tokens are stolen and you didn’t know? Be sure to refresh your keys and tokens periodically, mitigating any damage caused by keys that leaked out.

May 6, 2019

Provide granular permissions and groups for users in Azure Repos

Following the rule of least privilege, ensure that contributors exist in the correct groups and therefore have the necessary permissions to work. Try to restrict administrative actions where possible.

May 6, 2019

Shifting Docker security left

As more organizations create, spread and use Docker containers, the risk of security vulnerabilities grows. Docker images are largely built on top of other images, meaning a vulnerability in one image is also present in all the images that utilize it. The wide adoption of Docker comes at a price — a single vulnerability can be widely spread and have major impact.

April 17, 2019

The top two most popular Docker base images each have over 500 vulnerabilities

Welcome to the Docker security report “Shifting Docker security left”. This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing Docker security Take actions to improve security in your Docker images Or download our lovely […]

April 17, 2019

80% of developers are not addressing Docker security

Welcome to the Docker security report: Shifting Docker security left. This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing Docker security Take actions to improve security in your Docker images Or download our lovely […]

April 17, 2019

Take actions to improve security in your Docker images

Welcome to the Docker security report: Shifting Docker security left.This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing Docker security Take actions to improve security in your Docker images Or download our lovely handcrafted […]

April 17, 2019

Cheat sheet: 10 Bitbucket security best practices

In this cheat sheet we’ll cover how you can be more secure as a Bitbucket user or contributor. Some of it is specific to Bitbucket, but a lot of it is also useful for other Git and non-Git repositories as well. DOWNLOAD THE CHEAT SHEET! So let’s get started with our list of 10 Bitbucket […]

April 8, 2019

Snyking in – regular expression denial of service vulnerability exploit in the ms package

Welcome to another edition of our Snyking In exploit series! Last time we looked at a directory traversal vulnerability exploit in the st library. In this episode, we’ll be looking at the regular expression denial of service vulnerability, demonstrating how it can be exploited, as well as the potential risk they pose to your data […]

March 13, 2019