Code execution back door found in Ruby’s rest-client library

On August 19th, 2019 rest-client, a simple HTTP and REST client for Ruby, reported a new security threat. A maintainer’s RubyGem account was compromised and a malicious third party installed a code execution back door. The exploit affects versions greater than 1.6.10 and less than 1.7.0.rc1. What happened? GitHub user juskoljo raised an issue on […]

August 21, 2019

Jackson Deserialization Vulnerability

On July 29th, 2019 a high severity Deserialization of Untrusted Data vulnerability ( CVE-2019-14379, CVE-2019-14439) affecting all versions of com.fasterxml.jackson.core:jackson-databind up to was published. For those of you who use Spring Boot, note that the current release (2.1.7) depends on the older vulnerable jackson-databind 2.9.9 package. We have already updated this in our database […]

August 21, 2019

A year-old dormant malicious remote code execution vulnerability discovered in Webmin

On August 17, 2019, the Webmin team announced the release of Webmin 1.930 and Usermin 1.780. These releases address a newly discovered remote command execution vulnerability found in Webmin versions 1.890 through 1.920. This vulnerability has been present for more than a year and was introduced by a malicious third party. Webmin is an interface […]

August 20, 2019

Securing Artifactory using Snyk

We are excited to share that starting today, you can make sure that vulnerable artifacts will not be used in your organization by using Snyk’s Artifactory plugin! Snyk as your Artifactory gatekeeper Snyk’s Artifactory plugin allows your team to define the desired security level and enforce it across the organization. The plugin prevents the team […]

August 19, 2019

Automating open source security scanning with Snyk and CircleCI

At Snyk, we are committed to building developer-friendly security tools that seek to meet developers where they are already working. This includes broad language support and integration with tools and services that developers already use and love. In that spirit, we are excited to announce that Snyk has partnered with CircleCI to help you use […]

August 16, 2019

10 Eclipse plugins you shouldn’t code without

Developers primarily work from their favorite IDE (integrated development environment). For that reason, good IDE extensions and plugins are becoming more and more important. For this blog, I examined Eclipse IDE plugins and then narrowed it down to the top 10 most helpful plugins that I have added to my own toolkit. You can download […]

August 15, 2019

Kubernetes open sourced their security audit. What can we learn?

Earlier this week, on 6th August, the Cloud Native Computing Foundation (CNCF) published a blog post detailing their recent Kubernetes Security Audit. Last year, the CNCF started their security audit program with three projects: CoreDNS, Envoy, and Prometheus. Since this pilot program was successful, the CNCF is rolling it out to other projects in their […]

August 8, 2019

Securing Go modules made easy (and accurately!)

We are excited to share that starting today, developers can test and monitor their Go projects, which use modules, for open source vulnerabilities and get precise and accurate package-level alerts. We are committed to helping developers secure their open source code, and we work hard to expand our ecosystem and to support additional languages and […]

August 7, 2019

Best practices for rolling out Snyk

The first question many customers ask us after purchasing Snyk is—now how do we roll out the product throughout the company? Whether it’s a security expert who wants to get dev teams involved, and shift security testing left, or the VP of Engineering who’s trying to decide where best to integrate Snyk in the pipeline, […]

August 6, 2019

Announcing new container registry integrations

Snyk is excited to share that we’ve recently added new integrations with your container registries, including Amazon Elastic, Google and Microsoft Azure container registries (ECR, GCR, ACR). And, more are on the way—we’ll soon offer additional ones, including Artifactory, Quay and Nexus. With these new integrations, you’ll be able to scan your container images directly […]

August 5, 2019

Staying ahead of security vulnerabilities with security patches

Traditionally, as part of the software development workflow, teams typically release new versions of their packages or apps in order to fix security issues as they arise. With open-source projects however, because maintainers are usually volunteers and may get distracted by their routine commitments, it may take time before fix releases for packages are published. […]

July 31, 2019