Where do security patches come from?

The best solution for known vulnerabilities is to upgrade your software. But sometimes there's not a security update immediately available. The next best solution is to patch your software. In this post, we go through four ways to find security patches for open source software.

January 25, 2018

What do open source maintainers know about security?

Open source maintainers give up their own time to create great pieces of free software, which we then use to create business value. In our State of Open Source Security Report, open source consumers and maintainers were asked about their security expertise, actions and sense of ownership—and the results were very mixed.

January 16, 2018

npm Shrinkwrap Reloaded: Locking npm Deps with Package-Lock and Yarn.Lock

Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.

January 10, 2018

Don’t build security tools, build developer tools instead

Stop building security tools that think about dev, and start building dev tools that handle security.

January 9, 2018

Using the Snyk API to get your vulnerabilities

The Snyk API gives you access to all the issues associated with a given project. In this post, you'll learn how to use the API to fetch the organisations you have access to, the projects for a given organisation, and all the issues for a given project.

January 3, 2018

Announcing Snyk for .NET, Go and PHP

Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we're taking another leap forward and launching support for .NET, Go and PHP!

December 21, 2017

Staying Secure on Heroku with the Snyk Add-On

The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we'll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependecies.

December 12, 2017

Bower is dead, long live npm. And Yarn. And webpack.

Bower is no longer the dependency manager of choice for front-end projects. While the open source project is still maintained, its creators decided to deprecate it, and have advised how to migrate to other solutions. In this post, we explain why Bower used to be great, list six reasons why it isn't necessary anymore, and explain how to move on to newer and better technologies.

December 5, 2017

77% of 433,000 Sites Use Vulnerable JavaScript Libraries

Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. In this post, we take a deep dive into that problem space.

November 21, 2017

Announcing the 2017 State of Open Source Security Report

Today we're excited to launch the 2017 State of Open Source Security Report! The full report is available as a free PDF, and the highlights are collected online.

November 16, 2017

Exposed or not, vulnerabilities are dangerous

Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.

November 8, 2017