SourMint: malicious code, ad fraud, and data leak in iOS

The Snyk research team has uncovered malicious behavior in a popular Advertising SDK used by over 1,200 apps in the AppStore which represent over 300 Million downloads per month, based on industry expert estimates.

August 24, 2020

Prototype pollution in express-fileupload

Welcome to the Snyk Monthly Vulnerability Profile. In this series, Snyk looks back on the vulnerabilities discovered by or reported to our Security Research Team. We choose one noteworthy vulnerability from the past month and tell the story behind the discovery, research, and disclosure of the vulnerability. We highlight the researchers, developers, and users who […]

August 24, 2020

New ESG research points out key application security trends

“Shift left” has become the holy grail for security teams today but organizations are still struggling to successfully implement some of the key application security processes that shifting security left entails.  A new study on application security trends in 2020 sponsored by Snyk and conducted by Enterprise Strategy Group (ESG) has found that while developers […]

August 19, 2020

Reachable vulnerabilities: how to effectively prioritize open source security

A common problem our clients report is being overwhelmed by vulnerabilities.  For small projects, you might end up depending on dozens, or even hundreds of open source libraries. For large enterprise applications, it might feel like your dependencies include half of the ecosystem. The proliferation of third-party dependencies leads to the proliferation of vulnerabilities associated […]

August 18, 2020

Announcing Snyk’s developer-first Infrastructure as Code security capabilities

We’re thrilled to announce the launch of our developer-first Infrastructure as Code security capabilities, enabling developers to find and fix misconfigurations that can lead to security problems.  With the rise in popularity of technologies such as Docker, Kubernetes, and Terraform, developers are writing and maintaining more and more configuration in addition to building the application […]

August 17, 2020

Career growth in a scale-up world

Last month, on the back of employee reviews, Snyk was recognized on Comparably’s list of Best Companies for Professional Development. All of which has me thinking a lot about career growth in the scale-up world.  When you’re in a fast-growing organization, revenue’s going up, you’re hiring like crazy, all around you there’s an air of […]

August 17, 2020

Snykers spoke, we listened—Snyk collects 4 Best Place to Work awards by Comparably

In this year’s Comparably awards, Snyk was honored with four different Best Place to Work awards that highlight some of the best aspects of Snyk culture!  It’s no news that this year has been a difficult and divisive year for almost everybody. However, these past few months have built a strong and positive foundation for […]

August 13, 2020

Java dependency management: how many lines of code does my application hold?

A few weeks ago I had the opportunity to give a presentation for the Dutch Java Conference JSpring. The talk was about Java dependency management.  During this talk, I created a simple Spring Boot application and determined the number of lines my java dependencies brought in versus the number of lines I wrote myself. This […]

August 12, 2020

Angular security best practices

Angular security best practice #1: use interpolation ({{ }}) to safely encode potentially dangerous characters and escape untrusted HTML or CSS expressions within a template expression.

August 10, 2020

Prioritizing vulnerabilities in Kubernetes deployments

Snyk has recently introduced a Priority Score to help prioritize vulnerabilities we detect, helping you identify the most important issues that need your attention. Prioritization and Snyk Container The new Priority Score is fully supported in Snyk Container. All of your container images will be scored based on the severity of the vulnerability, data we […]

August 6, 2020

Breaking out of message brokers

I recently reported two vulnerabilities in Apache Airflow—an open-source library that allows developers to programmatically author, schedule, and monitor workflows. Both of the vulnerabilities allow the attacker to change scope and gain privileges for a different machine, and they both rely on the attacker gaining access to the message broker before performing the attack. In […]

August 5, 2020