Open Source

Everyone loves open source, and for good reason. We want to help you use open source and stay secure. Read more to learn how this is achievable!

Why npm lockfiles can be a security blindspot for injecting malicious modules

I recently started playing around with the idea of threat modeling packages on the npm ecosystem. Can an event-stream incident happen again? How about other supply chain attacks? What will be the next vector of attack that we haven’t seen yet and might it be entirely preventable? And then, one day I had a eureka! […]

September 24, 2019

Open source security with O’Reilly author Guy Podjarny

Watch the full interview Get your free copy of Securing Open Source Libraries Last week, Snyk Co-founder Guy Podjarny sat  for a live chat to discuss his O’Reilly book Securing Open Source Libraries. This post summarizes a few of the interesting takeaways from the webinar; you can also check out the recording here if you […]

August 30, 2019

Mastering Node.js version management and npm registry sources like a pro

In continuation to the 10 npm security best practices guide we published earlier this year, I’d like to further explore how to make it easier to switch between different Node.js versions and to switch between different npm registries while working in a development environment. Node version manager When developing Node.js applications, you may need to […]

August 28, 2019

Kubernetes open sourced their security audit. What can we learn?

Earlier this week, on 6th August, the Cloud Native Computing Foundation (CNCF) published a blog post detailing their recent Kubernetes Security Audit. Last year, the CNCF started their security audit program with three projects: CoreDNS, Envoy, and Prometheus. Since this pilot program was successful, the CNCF is rolling it out to other projects in their […]

August 8, 2019

Staying ahead of security vulnerabilities with security patches

Traditionally, as part of the software development workflow, teams typically release new versions of their packages or apps in order to fix security issues as they arise. With open-source projects however, because maintainers are usually volunteers and may get distracted by their routine commitments, it may take time before fix releases for packages are published. […]

July 31, 2019

Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities in .NET ecosystem

Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]

July 25, 2019

Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating

Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]

July 25, 2019

.NET open source security insights

Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]

July 25, 2019

PCI standards open source security requirements–how to comply?

With the growing usage of open source security in the world of modern software development, there is an urgency to ensure open source is used in a secure way. However, open source security is not yet implemented across the board; a recent report conducted by Snyk found that 37% of open source developers don’t implement […]

July 23, 2019

Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash

On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team. UPDATE: lodash published version 4.17.12 on July 9th which includes Snyk fixes and remediates the vulnerability. We strongly recommend you update to […]

July 4, 2019

New O’Reilly Book: Securing Open Source Libraries by Guy Podjarny

Snyk has partnered with O’Reilly to offer a new book

July 2, 2019