Ecosystems

Interested in ecosystem-specific posts? We’ve got your back! Read through our posts and learn how security impacts your environment.

Preventing YAML parsing vulnerabilities with snakeyaml in Java

YAML files are often used to configure applications, application servers, or clusters. It is a very common format in Spring Boot applications and, of course, to configure Kubernetes. However, similarly to JSON and XML, you can use YAML to serialize and deserialize data. Although YAML looks like an excellent alternative for XML and JSON, many […]

March 30, 2021

Backstage integration with the Snyk API

What is Backstage ? Backstage began life as an internal project at Spotify and was released as an open-source project in 2020. Its original intention was to be a central location where the company had a registry of all software they had in production but has since evolved into a much more advanced platform, including […]

March 17, 2021

Docker Hub Authentication: Is 2021 the year you enable 2FA on Docker Hub?

Judging by the reactions I saw in the audience during my past talks on “Securing Containers By Breaking In”, as well as recent reactions on Twitter, not many know about Docker Hub’s fairly recent multi-factor authentication feature. In October 2019, in order to improve the Docker Hub authentication mechanism, Docker rolled out a beta release […]

March 15, 2021

Solving Java security issues in my Spring MVC application

The Spring MVC framework is a well-known Java framework to build interactive web applications. It implements the Model-View-Controller architecture pattern to separate the different aspects of your application. Separating the different logic elements like representation logic, input logic, and business logic is generally considered good architectural practice. This separation of concerns, when implemented correctly, provides […]

March 15, 2021

Java configuration: how to prevent security misconfigurations

Java configuration is everywhere. With all the application frameworks that the Java ecosystem has, proper configuration is something that is overlooked easily. However, thinking about Java configuration can also end up in a security issue if it is done in the wrong way. We call this misconfiguration. Security misconfiguration is part of the infamous OWASP […]

February 26, 2021

10 best practices to build a Java container with Docker

So, you want to build a Java application and run it inside a Docker image? Wouldn’t it be awesome if you knew what best practices to follow when building a Java container with Docker? Let me help you out with this one! In the following cheatsheet, I will provide you with best practices to build […]

February 18, 2021

Java ecosystem survey 2021

Hello Java developers!  Just like in 2020, we are creating a comprehensive Java 2021 report that reflects the state of the JVM ecosystem. Below you will find a summary of the JVM Ecosystem 2020 report. As always, we couldn’t have done this without you! So, once again, we ask for you help with the 2021 […]

February 15, 2021

AWS vulnerability scanning using the Snyk integration

If you’re using the AWS suite of Kubernetes related tools, you’ll be pleased to know that you can scan with Snyk directly into your workflows there too with integrations into Amazon Elastic Container Registry ( ECR ) and Amazon Elastic Kubernetes Service ( EKS ). Here’s how to get started! During this post I’m going […]

February 10, 2021

Go security cheatsheet: 8 security best practices for Go developers

In this installment of our cheatsheet series, we’re going to cover eight Go security best practices for Go developers. The Go language incorporates many built-in features that promote safer development practices—compared to older and lower-level languages like C—such as memory garbage collection and strongly-typed pointers.  These features help developers avoid bugs that can lead to […]

February 9, 2021

Identify, prioritize, and fix vulnerabilities with Reachable Vulnerabilities for GitHub

Imagine you are a Java programmer and that you just decided you want to use Snyk Open Source scanning to help you find security problems in your third party libraries. Good call!  However, after connecting your repository to the Snyk Open Source scanner, you find out that you have ten or maybe even 50 vulnerabilities […]

January 28, 2021

Docker for Node.js developers: 5 things you need to know not to fail your security

Docker is totalling up to over 50 billion downloads of container images. With millions of applications available on Docker Hub, container-based applications are popular and make an easy way to consume and publish applications. That being said, the naive way of building your own Docker Node.js web applications may come with many security risks. So, […]

January 25, 2021