Yes, DevSecOps is a buzz-word, but it’s an important one! Security has an important part to play in application lifecycles and workflows. Learn how you can best integrate security into your existing pipelines.
Zip Slip is a form of a Directory Traversal that can be exploited by extracting files from an archive. This cheat sheet informs you of vulnerable libraries and code snippets that are exploitable to a Zip Slip attack. Additionally it provides you with the information you need to upgrade to fixed library versions and offers tips on how to find and fix your own vulnerable code.
You can't go to a security event nowadays and not hear at least a few speakers say the phrase "DevSecOps". The term has turned into a rallying cry for an approach that automates security throughout the development process. But in order for DevSecOps to succeed, it will first have to die.
Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.
Stop building security tools that think about dev, and start building dev tools that handle security.
Running snyk test will scan your application’s dependencies and test to see if any of them contain known vulnerabilities. If any vulnerabilities are discovered, the command will result in an error and output information about the vulnerability, and how to address it, to the console. It works great in a CI environment and provides you […]
By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.
There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.
Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of npm gave a talk titled “A brief history of modularity”, which we felt was particularly relevant to Snyk, and so we thought we’d share a summary […]
Most would agree we should build more security into our development practices. Between the increasing pace of development, the shortage of security practitioners and the fact most vulnerabilities are simply bugs, it seems clear we should build security into the dev process and not bolt it on later. So now that we agree we should […]
Recently I had the pleasure of joining Courtney Nash on the new O’Reilly Security podcast. We had a really good conversation, covering key topics such as: Why developers should own security, and why they haven’t done so yet How can we bring the DevOps revolution into the world of security What are each of our […]