Node.js security: lessons from the Node.js Security Working Group in triaging vulnerabilities
In a previous blog post, I talked about a security disclosure for Fastify Node.js framework to the Node.js Security working group on HackerOne. The disclosure was regarding a Server-side JavaScript code injection vulnerability, resulting in the final conclusion that determined the report to be of no security impact to the Fastify Node.js web application framework, […]
Developing secure software: how to implement the OWASP top 10 Proactive Controls
Recently, I was thinking back at a great opening session of DevSecCon community we had last year, featuring no other than Jim Manico. In this session, Jim walked us through the list of OWASP Top 10 proactive controls and how to incorporate them into our web applications. The proactive controls document, written by Manico himself, […]
Privileged Docker containers—do you really need them?
This week, I dropped down a rabbit hole when doing some testing with Podman around why running a certain container in a rootless configuration required the --privileged flag. Quite rightly, my colleague Eric Smalling asked why it should require the flag. Ultimately --privileged is shorthand for granting All The Things, and whilst you may think […]
Tips to scale your DevSecOps organization from Gene Kim and Guy Podjarny
During SnykCon 2020, author and researcher Gene Kim sat down with Snyk co-founder and President Guy Podjarny and a small group of Snyk VIPs to talk about (Sec)DevOps—where we started, how far we’ve come, and strategies for getting the most value out of the practice. The conversation spanned from philosophical questions to real-world implementations, and […]
The new, improved Snyk Container CLI
As more and more of you adopt containers for packaging up your applications, identifying vulnerabilities in them before you ship them is becoming incredibly important. Snyk has had the ability to test your Docker images using our CLI for over a year now. With the latest release of the CLI, we’re improving the user experience […]
10 React security best practices
Looking for the best ways to secure your React app? Then you’ve come to the right place! I created this checklist of React security best practices to help you and your team find and fix security issues in your React applications. I’ll show you how to automatically test your React code for security-related errors and […]
How Atlassian CISO Adrian Ludwig built a world-class product security team
At last week’s SnykCon, Snyk’s Co-founder and President Guy Podjarny sat down with Adrian Ludwig, CISO of Atlassian for a fireside chat about the modern security market, how his security team is structured, and how to help developers embrace security. Guy and Adrian continued their conversation after the fireside chat, discussing what it takes to […]
Key approaches for effective security risk management & prioritization
There’s no easy way of being 100% secure, and although you can become more secure, there definitely isn’t one way of getting there. “The safest thing is to do nothing” is a great cliche, but in the case of software security, this is almost never the case. Starting with the very first line of code […]
Snyk user community…3,2,1…LAUNCH!
We’re excited to share that we have launched a Snyk User Community to bring our users and team together to share knowledge and experiences, personal and community projects built upon Snyk, discuss all things security—from DevSecOps, to AppSec, through Cloud Native Sec, as well as have quick and easy access to product & security announcements. […]
Regular Expression Denial of Service (REDoS) in UAParser.js
Welcome to the Snyk Monthly Vulnerability Profile. In this series, Snyk looks back on the vulnerabilities discovered by or reported to our Security Research Team. We choose one noteworthy vulnerability from the past month and tell the story behind the discovery, research, and disclosure of the vulnerability. We highlight the researchers, developers, and users who […]
Gradle dependencies: scanning with new Snyk Gradle plugin
Gradle is one of the major build systems in not only the Java ecosystem but also for Android development. With Gradle, you can manage your dependencies, build, and test your project. Scanning the dependencies for known security vulnerabilities in your project is important. The ideal time to start scanning your dependencies is the very moment […]