DevSecOps

Yes, DevSecOps is a buzz-word, but it’s an important one! Security has an important part to play in application lifecycles and workflows. Learn how you can best integrate security into your existing pipelines.

Zip Slip Vulnerability Cheat Sheet

Zip Slip is a form of a Directory Traversal that can be exploited by extracting files from an archive. This cheat sheet informs you of vulnerable libraries and code snippets that are exploitable to a Zip Slip attack. Additionally it provides you with the information you need to upgrade to fixed library versions and offers tips on how to find and fix your own vulnerable code.

June 28, 2018

We’ll know DevSecOps has won once it’s dead

You can't go to a security event nowadays and not hear at least a few speakers say the phrase "DevSecOps". The term has turned into a rallying cry for an approach that automates security throughout the development process. But in order for DevSecOps to succeed, it will first have to die.

January 31, 2018

npm Shrinkwrap Reloaded: Locking npm Deps with Package-Lock and Yarn.Lock

Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.

January 10, 2018

Don’t build security tools, build developer tools instead

Stop building security tools that think about dev, and start building dev tools that handle security.

January 9, 2018

Getting the Most Out of Snyk Test with JSON

Running snyk test will scan your application’s dependencies and test to see if any of them contain known vulnerabilities. If any vulnerabilities are discovered, the command will result in an error and output information about the vulnerability, and how to address it, to the console. It works great in a CI environment and provides you […]

June 29, 2017

Serverless Security at Serverless Conf

Today Guy Podjarny had the pleasure of presenting at the amazing ServerlessConf in Austin, Texas about security in a serverless world. Here are the slides from his talk, "Serverless Security: What's Left to Secure?"

April 28, 2017

Serverless Security implications—from infra to OWASP

By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.

April 19, 2017

The MongoDB hack and the importance of secure defaults

There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.

January 10, 2017

A brief history of modularity

Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of npm gave a talk titled “A brief history of modularity”, which we felt was particularly relevant to Snyk, and so we thought we’d share a summary […]

November 21, 2016

Launching “The Secure Developer” Podcast

Most would agree we should build more security into our development practices. Between the increasing pace of development, the shortage of security practitioners and the fact most vulnerabilities are simply bugs, it seems clear we should build security into the dev process and not bolt it on later. So now that we agree we should […]

October 11, 2016

What DevOps and Open Source Security have in common

Recently I had the pleasure of joining Courtney Nash on the new O’Reilly Security podcast. We had a really good conversation, covering key topics such as: Why developers should own security, and why they haven’t done so yet How can we bring the DevOps revolution into the world of security What are each of our […]

August 16, 2016