Node.js security: lessons from the Node.js Security Working Group in triaging vulnerabilities

In a previous blog post, I talked about a security disclosure for Fastify Node.js framework to the Node.js Security working group on HackerOne. The disclosure was regarding a Server-side JavaScript code injection vulnerability, resulting in the final conclusion that determined the report to be of no security impact to the Fastify Node.js web application framework, […]

November 6, 2020

Developing secure software: how to implement the OWASP top 10 Proactive Controls

Recently, I was thinking back at a great opening session of DevSecCon community we had last year, featuring no other than Jim Manico. In this session, Jim walked us through the list of OWASP Top 10 proactive controls and how to incorporate them into our web applications. The proactive controls document, written by Manico himself, […]

November 5, 2020

Privileged Docker containers—do you really need them?

This week, I dropped down a rabbit hole when doing some testing with Podman around why running a certain container in a rootless configuration required the --privileged flag. Quite rightly, my colleague Eric Smalling asked why it should require the flag.  Ultimately --privileged is shorthand for granting All The Things, and whilst you may think […]

November 4, 2020

Tips to scale your DevSecOps organization from Gene Kim and Guy Podjarny

During SnykCon 2020, author and researcher Gene Kim sat down with Snyk co-founder and President Guy Podjarny and a small group of Snyk VIPs to talk about (Sec)DevOps—where we started, how far we’ve come, and strategies for getting the most value out of the practice. The conversation spanned from philosophical questions to real-world implementations, and […]

November 2, 2020

The new, improved Snyk Container CLI

As more and more of you adopt containers for packaging up your applications, identifying vulnerabilities in them before you ship them is becoming incredibly important. Snyk has had the ability to test your Docker images using our CLI for over a year now. With the latest release of the CLI, we’re improving the user experience […]

October 29, 2020

10 React security best practices

Looking for the best ways to secure your React app? Then you’ve come to the right place! I created this checklist of React security best practices to help you and your team find and fix security issues in your React applications. I’ll show you how to automatically test your React code for security-related errors and […]

October 28, 2020

How Atlassian CISO Adrian Ludwig built a world-class product security team

At last week’s SnykCon, Snyk’s Co-founder and President Guy Podjarny sat down with Adrian Ludwig, CISO of Atlassian for a fireside chat about the modern security market, how his security team is structured, and how to help developers embrace security.  Guy and Adrian continued their conversation after the fireside chat, discussing what it takes to […]

October 28, 2020

Key approaches for effective security risk management & prioritization

There’s no easy way of being 100% secure, and although you can become more secure, there definitely isn’t one way of getting there. “The safest thing is to do nothing” is a great cliche, but in the case of software security, this is almost never the case. Starting with the very first line of code […]

October 27, 2020

Snyk user community…3,2,1…LAUNCH!

We’re excited to share that we have launched a Snyk User Community to bring our users and team together to share knowledge and experiences, personal and community projects built upon Snyk, discuss all things security—from DevSecOps, to AppSec, through Cloud Native Sec, as well as have quick and easy access to product & security announcements. […]

October 26, 2020

Regular Expression Denial of Service (REDoS) in UAParser.js

Welcome to the Snyk Monthly Vulnerability Profile. In this series, Snyk looks back on the vulnerabilities discovered by or reported to our Security Research Team. We choose one noteworthy vulnerability from the past month and tell the story behind the discovery, research, and disclosure of the vulnerability. We highlight the researchers, developers, and users who […]

October 26, 2020

Gradle dependencies: scanning with new Snyk Gradle plugin

Gradle is one of the major build systems in not only the Java ecosystem but also for Android development. With Gradle, you can manage your dependencies, build, and test your project. Scanning the dependencies for known security vulnerabilities in your project is important. The ideal time to start scanning your dependencies is the very moment […]

October 23, 2020