Security in the Container Registry

One of Snyk’s key principles is what we call ‘developer first’. In our product vision, this means fitting into the developer’s existing workflow and tools with powerful product integrations, to make security ownership by developers as seamless as possible. In other words, we want to provide the option to tackle security wherever the developers already are, […]

February 21, 2019

So, you think your CI/CD environment is secure?

This post, co-written by Weaveworks and Snyk, explains how by using a GitOps continuous integration (CI)/continuous delivery (CD) pipeline combined with good security practices improves the overall security of your development workflow to Kubernetes. The Typical CI/CD Pipeline Your CI/CD pipeline might look very similar to the simplified model below. The flow begins from the […]

February 21, 2019

10 npm Security Best Practices

Concerned about npm vulnerabilities? It is important to take npm security best practices into account for both frontend, and backend developers. Open source security auditing is a crucial part of shifting security to the left, and npm package security should be a top concern, as we see that even the official npm command line tool […]

February 19, 2019

Introducing The Secure Developer Community

Join the secure developer for free The Secure Developer Community Today Snyk is happy to announce the launch of The Secure Developer, a community and educational resource for all things security. We’ll bring together the greatest security experts to share their experiences on building security into their workflows, discussing tools that can help, and reviewing […]

February 14, 2019

A serious security flaw in runC can result in root privilege escalation in Docker and Kubernetes

A security flaw discovered by Adam Iwaniuk and Borys Popławski and found in open source software runC was disclosed on February 11th, 2019 and described in CVE-2019-5736. The vulnerability, affecting several container engines such as Docker and Kubernetes, is found in a key component of container engines and allows containers to break out of their […]

February 13, 2019

My First Week at Snyk was at our All Hands Conference

I spent my first day at Snyk on an eleven-hour flight to Tel Aviv. It was a very non-traditional first day and the start to a very non-traditional first week at my new job as a Developer Advocate. Twice a year Snykers from around the world come together to take part in an All Hands […]

February 12, 2019

Scanning Docker images for key binaries – going beyond package managers

We’re happy to share that we’ve just extended our Docker scans to now include scanning key binaries that were manually installed on the Docker image. Up until now, we only scanned OS packages that were installed by OS package managers such as dpkg, apk or rpm. Now we have also extended our support to scan […]

February 7, 2019

NumPy Arbitrary Code Execution Vulnerability

A recently discovered vulnerability in NumPy, the widely used open source package for scientific computing in Python, allows for the execution of arbitrary, potentially malicious code. NumPy NumPy is part of the SciPy ecosystem, which is a collection of open source software packages for mathematics, science, and engineering. NumPy is used in both industry and […]

February 4, 2019

Launching .NET support for GitHub, Bitbucket and GitLab

We are excited to announce that we are now providing .NET source code management support. As of today, Snyk enables importing, scanning and monitoring of .NET projects directly within GitHub, GitLab, and Bitbucket without having to move away to Snyk. Snyk is committed to helping developers secure their open source code, and we work hard […]

February 4, 2019

Severe Security Vulnerability in Bower’s Zip Archive Extraction

Earlier this month it was found that Bower, a popular web package manager, is vulnerable to archive extractions and currently, we can associate two security incidents with it, for which follow-up releases to address them are available: Arbitrary file writes with potential remote command injection, which was fixed in Bower 1.8.6, resulted from the Zip […]

January 31, 2019