Engineering

Looking for highly technical articles? Our Engineering team is here to provide you with tool and technology-specific content, as well as in-depth technical guides of the Snyk products.

New years resolution: Don’t show my security tokens when hacking my demo application on stage

My new year's resolution for 2022 is: Don't expose confidential information while I hack my applications during demos or presentations...

January 12, 2022

URL confusion vulnerabilities in the wild: Exploring parser inconsistencies

In this post, we will take a look at the history of URLs, explore possible sources of URL parser confusion, run through an exploit POC, and then provide recommendations for keeping yourself safe from URL confusion based attacks.

January 10, 2022

CTF secrets revealed: TopLang challenge from SnykCon 2021 explained

Did you take part in Fetch the Flag this year? The inaugural SnykCon CTF featured a fan favorite challenge: TopLang. Learn how we approached creating it and how you can solve it.

January 5, 2022

Snyk Code in 2021: Redefining SAST

Starting in early 2021, Snyk Code became available as a freemium offering for Snyk users. Snyk Code helps developers quickly and accurately find, prioritize, and fix security flaws in proprietary code. With detailed remediation guidance at every stage of the software development lifecycle (SDLC), from the developer’s environment (IDE) to continuous integration and development (CI/CD)

December 21, 2021

Log4j 2.16 High Severity Vulnerability (CVE-2021-45105) Discovered

Overnight, it was disclosed by Apache that Log4j version 2.16 is also vulnerable by way of a Denial of Service attack with the impact being a full application crash, the severity for this is classified as High (7.5). Snyk is currently not aware of any fully-fledged PoCs or exploits in circulation. CVE-2021-45105 has been issued,

December 18, 2021

Log4Shell in a nutshell (for non-developers & non-Java developers)

In this post, we'll give an explanation of Log4Shell for non-developers and an overview of the Log4Shell vulnerability for non-Java developers.

December 15, 2021

Java JSON deserialization problems with the Jackson ObjectMapper

Learn how Jackson ObjectMapper deserialization vulnerabilities work and how to make sure you are not affected by them.

December 1, 2021

How to prevent Trojan Source attacks with Snyk Code

Learn to use Snyk Code to find and fix Trojan Source in your source code.

November 17, 2021

Best practices for containerizing Python applications with Docker

In this post, we’ll attend to those concerns and take a look at some 6 best practices when containerizing Python applications with Docker.

November 11, 2021

Exploring extensions of dependency confusion attacks via npm package aliasing

Learn about a new extension to dependency confusion which has its premise on npm’s package aliasing capabilities.

November 4, 2021

Lessons learned from improving full-text search at Snyk with Elasticsearch

We're currently moving the "issues" tab of Snyk reports over to Elasticsearch. Read what we learned about in terms of analyzers, tokenizers, and search in the process.

November 4, 2021