Guy Podjarny live hacks a Node.js application to exploit vulnerabilities in real world packages. In this edited down video from the JSKongress conference. Guy explains where some of the most common JS security pitfalls exist.
Snyk identified and responsibly disclosed a directory traversal vulnerability found in FTP clients that connect to malicious servers. This post contains the full details of the vulnerability and what you can do to avoid it.
The most common way for Snyk users to find out that they have an issue in their project is via our email alerts. It’s a core part of our service, but until recently, we didn’t have much in the way of configuration around what types of issues would trigger an email alert. As we scale our language support, enabling you monitor more projects in Snyk, we want you to feel better informed about the types of issues that matter to you, while making less noise about the issues that don’t.
DigitalOcean found and fixed a critical vulnerability within one day of disclosure using Snyk's automated remediation system.
How Comic Relief’s developers used Snyk to automate security and boost productivity as part of their Digital Transformation.
Comic Relief integrated Snyk into their Concourse CI Serverless deployment pipeline which allows even the most junior of developers use open source securely by remediating any vulnerable libraries before they go to production.
We’ve just launched a new feature for our Pro and Enterprise Plan customers that adds an additional layer of hierarchy to make it possible to split your organisation in Snyk into teams, who can manage different projects. This has been a popular request from our customers and we’ve been building and refining it for months. We’re very excited to now be able to offer it.
Ignoring security issues shouldn't be the default action, but it is sometimes necessary. Snyk only validates vulnerabilities that exist in dependent components, so it has a relatively low false-positive rate (which should reduce the need to ignore), but there are still reasons why you may wish to suppress an issue.
You can't go to a security event nowadays and not hear at least a few speakers say the phrase "DevSecOps". The term has turned into a rallying cry for an approach that automates security throughout the development process. But in order for DevSecOps to succeed, it will first have to die.