Developer security resolutions for 2022

As 2022 begins, it’s a great time to set resolutions for the coming year. Don’t worry, we don’t expect you to become a CrossFit guru or break world records on your Peloton. Instead, how about you set goals to improve your abilities as a secure developer?

All too often, we choose resolutions that set ourselves up for failure. A better approach is to set realistic goals. With that in mind, we’d like to suggest developer security resolutions that can all be achieved from the comfort of your office chair.

Read on to learn more about five of our developer security resolutions for 2022.

1. I will sign my container images!

When it comes to container security, many container images are at risk of man-in-the-middle (MITM) attacks, where an image pulled from a registry is tampered with before it reaches the Docker client. That’s why one of our 10 Docker Security Best Practices is to sign and verify every Docker image.

A great option for image signing is cosign, a simple tool from Sigstore that makes it “safe to put in a GitHub repo next to your code, so you can decrypt/sign with a password stored in a secret manager as part of your CI system.” Alternatively, if an image publisher signs their container image using Docker Notary, they can give image consumers confidence that the image maintains integrity when it's transferred from a public or private registry. Then development teams can enable Docker Content Trust to force every image to be signed and verified before use in their projects. Ultimately, this prevents MITM attacks against containerized applications.

Don’t forget: Snyk Container helps you scan containers for vulnerabilities directly within your existing development workflow to improve container security. Container scanning will help you knock this resolution out of the park!

2. I will run all containers with a read-only root file system!

Securely running containers on Kubernetes can be challenging for many teams. A powerful tool that Kubernetes provides is the securityContext, which are security settings every Pod and Container manifest can use. But the securityContext needs to be configured properly to provide adequate security.

One misconfiguration with devastating consequences is running containers with writable root file systems. This would enable malicious actors to elevate their security privileges and tamper with your application. By setting the root file system to read-only in the securityContext configuration, you can protect your containers from attack.

Need help sticking with this resolution? Snyk Infrastructure as Code can scan your Kubernetes configurations to ensure there aren’t any misconfigurations or other security risks.

3. I will not install npm packages that run arbitrary commands!

While open source npm packages help developers build apps much faster, they can introduce security vulnerabilities as well. A specific attack vector that Snyk has uncovered is npm packages that include pre/post install scripts that run arbitrary commands.

By ignoring run scripts, you can prevent arbitrary scripts from running when packages are installed and protect your software supply chain from manipulation. This minimizes the potential attack surface that malicious actors have to work with. 

Snyk Open Source can help you scan for vulnerable open source dependencies within your applications. Snyk can even detect issues in indirect dependencies, which is how most organizations were impacted by the recent Log4j vulnerability. Dependency scanning, therefore, can help find malicious packages across projects in a number of different languages besides JavaScript.

4. I’ll only merge PRs that have gone through an automated code review!

Rapidly building and deploying software is essential for most organizations, but that doesn’t mean they should cut corners with application security. By reviewing all code before it’s merged into the central source code repository, development teams can dramatically improve the security posture of their applications.

The problem is that manual code reviews are time-consuming and peer reviewers may not catch every security issue. That’s why automated code scanning for every code change is crucial for effective application security.

Using Snyk’s integrations with source control managers like GitHub and Bitbucket, you can automatically scan for vulnerabilities during each pull request (PR) before your code is merged.

5. I will always apply secure coding practices!

Companies that want to shift security left can start with adopting secure coding standards. By implementing secure coding best practices, developers can recognize and eliminate vulnerabilities before they introduce issues into the source code of an application.

What better way to improve your secure coding skills this coming year than with Snyk Learn? Our new security education platform helps developers uplevel their secure coding skills through curated content that’s relevant to their own coding projects.

Security needs to be embedded within existing development workflows, so we think it makes sense for security education to also be available where developers work. With Snyk Learn, you can educate yourself to immediately apply secure code practices while you’re writing code.

Cheers to a more secure 2022!

Unlike all those eager joggers who run out of steam by late January, we hope you’ll stick to these resolutions for years to come! This would dramatically improve the security posture of your applications going forward.

Happy New Year and stay secure!

The Snyk DevRel & SecRel teams