Where do security patches come from?
The best solution for known vulnerabilities is to upgrade your software. But sometimes there's not a security update immediately available. The next best solution is to patch your software. In this post, we go through four ways to find security patches for open source software.
What do open source maintainers know about security?
Open source maintainers give up their own time to create great pieces of free software, which we then use to create business value. In our State of Open Source Security Report, open source consumers and maintainers were asked about their security expertise, actions and sense of ownership—and the results were very mixed.
npm Shrinkwrap Reloaded: Locking npm Deps with Package-Lock and Yarn.Lock
Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.
Don’t build security tools, build developer tools instead
Stop building security tools that think about dev, and start building dev tools that handle security.
Using the Snyk API to get your vulnerabilities
The Snyk API gives you access to all the issues associated with a given project. In this post, you'll learn how to use the API to fetch the organisations you have access to, the projects for a given organisation, and all the issues for a given project.
Announcing Snyk for .NET, Go and PHP
Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we're taking another leap forward and launching support for .NET, Go and PHP!
Staying Secure on Heroku with the Snyk Add-On
The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we'll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependecies.
Bower is dead, long live npm. And Yarn. And webpack.
Bower is no longer the dependency manager of choice for front-end projects. While the open source project is still maintained, its creators decided to deprecate it, and have advised how to migrate to other solutions. In this post, we explain why Bower used to be great, list six reasons why it isn't necessary anymore, and explain how to move on to newer and better technologies.
77% of 433,000 Sites Use Vulnerable JavaScript Libraries
Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. In this post, we take a deep dive into that problem space.
Announcing the 2017 State of Open Source Security Report
Today we're excited to launch the 2017 State of Open Source Security Report! The full report is available as a free PDF, and the highlights are collected online.
Exposed or not, vulnerabilities are dangerous
Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.