Open Source

Everyone loves open source, and for good reason. We want to help you use open source and stay secure. Read more to learn how this is achievable!

Introducing experimental integrity policies to Node.js

A recent experimental feature for introducing integrity policies landed in Node.js core 11.8.0. This capability, shipped in non LTS version yet, provides integrity checks for a Node.js runtime when modules are being loaded, in order to verify that the modules code haven’t been tampered with. Bradley Farias introduced this change in October 2018 and borrowed […]

March 21, 2019

Snyk joins the Continuous Delivery Foundation as a founding member.

As part of Snyk’s mission—to enable developers to use open source software while staying secure—we place a lot of emphasis on our integrations across the software delivery cycle. Scanning and fixing code in your repository is a powerfully dynamic way to secure your app early and often. However, it doesn’t stop there: with our integrations […]

March 20, 2019

What is package lock json and how a lockfile works for yarn and npm packages?

What is package-lock.json? In this article we will discuss both npm’s package lock file package-lock.json as well as Yarn’s yarn.lock. Package lock files serve as a rich manifest of dependencies for projects that specify the exact version of dependencies to be installed, as well as the dependencies of those dependencies, and so on—to encompass the […]

March 14, 2019

10 Docker Security Best Practices

Docker container security The topic of Docker container security raises concerns ranging from Dockerfile security—relating to the Docker base images and potential security misconfigurations,—to the Docker container security at runtime regarding network ports, user privileges, Docker mounted filesystem access, and others. In this article, we will focus on the Docker container security aspects related to […]

March 6, 2019

Python security best practices cheat sheet

In this installment of our cheat sheet series, we’re going to cover the best practices for securely using Python. You can download the cheat sheet here. Many thanks to Kenneth Reitz and Ernest Durbin. 1. Python security starts with Python 3 What version of Python are you using? Many inherent Python security concerns can be […]

February 28, 2019

81% believe developers should own security, but they aren’t well-equipped

A worrying 27% of respondents stated they do not have any proactive or automatic way to find out about newly discovered vulnerabilities in their applications. 37% of users of users don’t implement any sort of security testing during CI.

February 26, 2019

Top ten most popular docker images each contain at least 30 vulnerabilities

we found that 44% of docker image scans had known vulnerabilities, and for which there were newer and more secure base image available. Most vulnerabilities originate in the base image you selected. For that reason, remediation should focus on base image fixes.

February 26, 2019

ReDoS vulnerabilities in npm spikes by 143% and XSS continues to grow

Regex for for a single-threaded runtime could be devastating. We’ve also detected that the npm ecosystem has seen the most XSS vulnerabilities, Maven Central and PyPI follow next.

February 26, 2019

78% of vulnerabilities are found in indirect dependencies, making remediation complex

Only one in three developers can address a high or critical-severity vulnerability in a day or less. The more we use open source software, the more risk we accumulate as we’re including someone else’s code that could potentially contain vulnerabilities now or in the future.

February 26, 2019

88% increase in application library vulnerabilities over two years

A good number of security vulnerabilities are discovered and fixed in non-official channels. We measured Snyk DB to uncover 67% more vulnerabilities than public databases. In 2018, new disclosures for npm grew by 47%, and Maven Central grew by 27%

February 26, 2019

Open source maintainers want to be secure, but 70% lack skills

Maintainers stated their security knowledge is improving but not high enough, averaging 6.6/10, and 1 in 4 open source maintainers do not audit their code bases.

February 26, 2019