What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm
You may have heard about malicious packages in a variety of contexts, such as a malicious Docker container or perhaps an open source malicious package in a public registry of one ecosystem or another. Snyk even published extensive research on malware in mobile applications, dubbed SourMint. We reviewed some of these security incidents in the […]
Securing your Kubernetes application development with Snyk and Tilt
Developing Kubernetes applications can be hard. We’re often dealing with microservice architectures with a lot of moving parts, along with developing the cluster configuration to hook them all together, and workflows for rapid iteration and testing can become convoluted and hard to manage for engineering teams. This is where tools like Tilt come in. Tilt […]
Applying risk management to DevOps practices with Snyk & Datadog
At SnykCon 2020, Datadog gave an informative talk about applying dynamic risk assessment to software development. More specifically, the company discussed how to use Snyk to measure and mitigate cybersecurity risks. In this post, we’ll look at some common software risks, how to measure security risks, and how organizations can use Datadog and Snyk to […]
2020 Q4 in review—iOS remote code execution, developer-first SAST, and more
In this fourth installment of the Snyk Blog year in review, we’ll be covering some of our key announcements and news that hit the blog in October, November, and December rounding off a year of content. Previously, we’ve highlighted three posts in each quarter ranging from Angular best practices to two rounds of funding and […]
2020 Q3 in review—Snyk & DeepCode, Angular security best practices, and more
We’re up to July, August, and September now in our blog series that looks back at our year of posts and picks out some of the highlights from each quarter. Previously we wrote about the first and second quarters that looked back at a round of funding for Snyk, as well as the JVM ecosystem […]
2020 Q2 in review—State of Open Source Security report, DevSecOps Hub, and more
Yesterday, we looked back at some of the blog posts we published back in January, February, and March of 2020. You remember, that time we were able to travel and hug each other, meet up carefree in bars and offices, and be social without having to use Zoom! Well, in this post, we look at […]
2020 Q1 in review—JVM ecosystem report, DevSecOps insights, and more
Welcome to the first of four posts in which we take a look back at all the highlights we have shared across the Snyk blog across 2020. Each of the four blog posts will pick three top highlights for each quarter of 2020, as well any honorable mentions we add along the way. Picking just […]
Golang security: access restriction bypass vulnerability in JWT
Back in July, the Snyk security team was alerted about a potential security issue in the JWT package. This package provides a Go implementation of JSON web tokens and the issue that was discovered related to a function called VerifyAudience that was not working as expected. The function allowed passing a double quotes (“”) value […]
Blazing the trail for cloud native application security
2020 was an incredibly challenging year for all of us but with the dawn of a new year just over the horizon, it’s a great opportunity as any to take a few moments to appreciate the work done by our engineering and product teams. Hard work that was executed under difficult and strenuous circumstances and […]
Serialization and deserialization in Java: explaining the Java deserialize vulnerability
Java serialization is a mechanism to transform an object into a byte stream. Java deserialization is exactly the other way around and allows us to recreate an object from a byte stream. Java serialization—and more specifically deserialization in Java—is also known as “the gift that keeps on giving”. This relates to the many security issues […]
Security concerns of third-party JavaScript scripts
In their web security talk at SnykCon 2020, Liran Tal and Eric Graham discussed frontend security considerations regarding the frontend attack surface. They portrayed the risks stemming from security vulnerabilities found in third party dependencies, and then continued to broaden the potential security risk through marketing added third party scripts such as Google’s Tag Manager. […]