Security Labs

At Snyk, our Security Labs team is dedicated to improving application security through high-impact research. We aim to enhance developers’ and security teams’ expertise by offering comprehensive research and tools.

Our work has led to major CVEs in core container infrastructure, closed significant supply-chain attack vectors in popular open-source registries, and demonstrated novel attacks on emerging technologies like AI and LLMs.

Our values

Awareness

Bringing light to under-represented areas of security and help educate developers through research.

Impactful security

Finding and helping fix wide-impacting vulnerabilities in open-source software (OSS) and modern applications.

Scalability

Conducting security research at scale.

Community collaboration

Creating tools to help the community discover and mitigate vulnerabilities and threats.

Meet the team

Get to know our team of security researchers.

Raul Onitza-Klugman

A former gardener turned security wizard. When not fuzzing native libraries and breaking modern AppSec, Raul can be found looking for ways to optimize his sourdough bread while enjoying the classic Belgian beer Delerium.

Raul Onitza-Klugman

Staff Security Researcher

Bio
Rory McNamara

Long-time bug bounty hunter, ex-pentester, and AppSec engineer. Rory is passionate about race conditions and Linux exploitation.

Rory McNamara

Staff Security Researcher

Bio
Elliot Ward

Ex-pentester and AppSec engineer with a focus on anything web security. When not hacking, Elliot loves to skateboard and snowboard.

Elliot Ward

Senior Security Researcher

Bio

Featured research

Check out some of the recent high-profile research from the Security Labs team.

See all our research
feature-getting-snyk-setup
Blog

Call for action: Exploring vulnerabilities in Github Actions

In this blog post, we will provide an overview of GitHub Actions, examine various vulnerable scenarios with real-world examples, offer clear guidance on securely using error-prone features, and introduce an open source tool designed to scan configuration files and flag potential issues.

feature-leaky-vessels
Blog

Leaky Vessels: Docker and runc container breakout vulnerabilities (January 2024)

Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four vulnerabilities — dubbed "Leaky Vessels" — in core container infrastructure components that allow container escapes.

blog-feature-pypi-spoof
Blog

Gitpod remote code execution 0-day vulnerability via WebSockets

In this post, we present the first findings from our current research into Cloud Development Environments (CDEs) — which allowed a full account takeover through visiting a link, exploiting a commonly misunderstood vulnerability (WebSocket Hijacking), and leveraging a practical SameSite cookie bypass.

Found a vulnerability? We can help you report it.

Using our form, you can disclose vulnerabilities you’ve found or vulnerabilities that are missing from the Snyk Vulnerability Database. We’ll help you verify the vulnerability,  contact the maintainer, and assign a CVE for the issue.

Before submitting a report, please review our disclosure policy, which can be found here.

Report a new vuln
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk est une plateforme de sécurité des développeurs. S’intégrant directement aux outils, workflows et pipelines de développement, Snyk facilite la détection, la priorisation et la correction des failles de sécurité dans le code, les dépendances, les conteneurs et l’infrastructure en tant que code (IaC). Soutenu par une intelligence applicative et sécuritaire de pointe, Snyk intègre l'expertise de la sécurité au sein des outils de chaque développeur.

Démarrez gratuitementRéservez une démo en ligne

Produit

Qu’est-ce que Snyk ?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Plateforme de sécurité des développeursSécurité des applicationsSécurité de la chaîne d’approvisionnement logicielleSécurité du code généré par l’IA DeepCode AITarifsOptions de déploiementIntégrationsPlugins pour les IDESécurité GitSécurité des pipelines de CI/CDSnyk CLISnyk LearnSnyk pour JavaScript

Ressources

DocumentationDocuments sur l’API SnykStatut de l’APIVulnérabilités divulguéesPortail de support et FAQBlogPrincipes fondamentaux de la sécuritéRessources pour les leaders de la sécuritéRessources pour les hackers éthiquesBase de données des vulnérabilitésSnyk OSS AdvisorTop 10 de SnykVidéosRessources clientSecurity Labs

Société

À proposClientsCarrièresÉvénementsSnyk pour le secteur publicSécurité et confianceMentions légalesConfidentialitéPour les résidents de Californie : Ne vendez pas mes informations à caractère personnelConditions d'utilisation du site web

Connexion

Réservez une démo en ligneContactez-nousSupportSignaler une nouvelle vulnérabilité

Sécurité

Sécurité des applicationsSécurité des conteneursSécurité de la chaîne d’approvisionnementSécurité JavascriptSécurité open sourceSécurité AWSSDLC sécuriséPosture de sécuritéCode sécuriséHacking éthiqueL’IA dans la cybersécuritéVérificateur de codePythonCybersécurité en entrepriseJavaScriptSnyk With GitHubComparaison Snyk/VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Enregistré en Angleterre et au Pays de Galles

logo-devseccon