Zip Slip is a form of a Directory Traversal that can be exploited by extracting files from an archive. This cheat sheet informs you of vulnerable libraries and code snippets that are exploitable to a Zip Slip attack. Additionally it provides you with the information you need to upgrade to fixed library versions and offers tips on how to find and fix your own vulnerable code.
Today Snyk released a container vulnerability management solution which empowers developers to fully own the security of their Dockerized application! Containers are becoming the standard form in which applications are packaged and executed, so the need to protect not only the application itself but the entire container against open source vulnerabilities is growing. Snyk, being […]
In this post we’ll look at the most common types of vulnerabilities for two of the main ecosystems we track in our vulnerability database, namely Maven Central and npm. The Snyk Vulnerability database consists of vulnerabilities from over 1,000,000 open source packages we track that use Composer, Go, Maven Central, npm, NuGet, pip and Rubygems.
Over the past few months, we’ve been working closely with customers who use Snyk alongside various issue trackers as a way of managing their vulnerability remediation process. The most popular ask has been an integration with Jira so that a Snyk vulnerability or license issue’s progress can be tracked, from disclosure, to assignment to the relevant person, and finally to remediation. We wanted to help speed up that workflow, and make raising a Jira issue as quick and easy as possible.
One of our most frequent feature requests recently has been for the ability to generate an API token that isn't tied to a particular user. We're really excited to be able to now offer our Pro and Enterprise customers the ability to create Service Accounts – a special type of user that has an API token associated with it.
The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects.
Your source code should be one of your prize possesions. You must protect it with security processes and practices to ensure you don't put your code or users at risk. This cheat sheet covers 10 best practices you should consider implementing in your GitHub repository or organisation to enforce security on your projects.
We’re extremely humbled and honored to have Gartner name Snyk as a May 2018 Cool Vendor in Application and Data Security!
Skyscanner today monitors nearly 500 separate projects with Snyk, and is able to understand the state of their security as well as address both their vulnerability and licensing issues. This case study shows why Skyscanner chose to use Snyk and the benefits they see every day.
One of the main features in Java 10 in Local Type Inference, which allows us to substitute a type with the var reserved word in our source code. However, in order for this to become a feature that is useful to a developer rather than a feature developers will rue for many years to come, we need to learn how to use it and when to use it properly. This cheat sheet and blog is a reduced version of an blog post that Stuart Marks wrote on the OpenJDK site.