DevSecOps

Yes, DevSecOps is a buzz-word, but it’s an important one! Security has an important part to play in application lifecycles and workflows. Learn how you can best integrate security into your existing pipelines.

10 Docker Security Best Practices

Docker container security The topic of Docker container security raises concerns ranging from Dockerfile security—relating to the Docker base images and potential security misconfigurations,—to the Docker container security at runtime regarding network ports, user privileges, Docker mounted filesystem access, and others. In this article, we will focus on the Docker container security aspects related to […]

March 6, 2019

Python security best practices cheat sheet

In this installment of our cheat sheet series, we’re going to cover the best practices for securely using Python. You can download the cheat sheet here. Many thanks to Kenneth Reitz and Ernest Durbin. 1. Python security starts with Python 3 What version of Python are you using? Many inherent Python security concerns can be […]

February 28, 2019

Snyking in – Directory traversal vulnerability exploit in the st package

Welcome to the first edition of a new exploit series we’re calling “Snyking In”! We’ll be looking at various security vulnerabilities, demonstrating how they can be exploited, as well as the potential risk they pose to your data and systems. Our examples will always involve real-world libraries that contain the vulnerability type in at least […]

February 25, 2019

Security in the Container Registry

One of Snyk’s key principles is what we call ‘developer first’. In our product vision, this means fitting into the developer’s existing workflow and tools with powerful product integrations, to make security ownership by developers as seamless as possible. In other words, we want to provide the option to tackle security wherever the developers already are, […]

February 21, 2019

So, you think your CI/CD environment is secure?

This post, co-written by Weaveworks and Snyk, explains how by using a GitOps continuous integration (CI)/continuous delivery (CD) pipeline combined with good security practices improves the overall security of your development workflow to Kubernetes. The Typical CI/CD Pipeline Your CI/CD pipeline might look very similar to the simplified model below. The flow begins from the […]

February 21, 2019

Report Shows the Equifax Breach was “Entirely Preventable”

It’s always great to see our hard earned tax dollars put to good use. The US government recently released a report showing the spectacular breach of Equifax last year was entirely preventable if Equifax only made some reasonable efforts to protect themselves – and our data. This post outlines some of the report’s most significant […]

December 18, 2018

Codefresh + Snyk = Ship Fast and Securely

Modern software development is about writing code. Not building, not shipping, but developing — We code, we merge, it builds, it ships. It’s important to test on both sides of the repo frontier, between the code and the automated part. The goal is to test before we merge so the changes go through the pipeline […]

December 11, 2018

A post-mortem of the malicious event-stream backdoor

Last week the imaginable happened. A malicious package, flatmap-stream, was published to npm and was later added as a dependency to the widely used event-stream package by user right9ctrl. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. We wrote some early thoughts on our […]

December 6, 2018

Serverless Security: What’s left to protect?

I just had the pleasure of giving a talk about Serverless Security at the inaugural Serverless Computing conference in London, run by Situation Publishing (owner of The Register). The audience was very attentive and I got some great questions after my session. All in all the conference was great and staff behind the event was […]

November 12, 2018

How to crash an email server with a single email

It's true you can crash an email server with a single email! This guest blog post talks about a vulnerability found in the top five Node mail parsers that will bring each of them down just by clicking send. Joran Greef explains how he found the vulnerability while he was writing his own mail parser and how he disclosed via Snyk's security team.

August 1, 2018

How to Educate, Train and Empower Developers in Security

The time has come for you to take responsibility of your application security. This may sound daunting to some of you, but don’t fret! There are many resources available to you, including The Secure Developer podcast, run by Snyk’s very own CEO, Guy Podjarny

July 25, 2018