Snyk Blog

Blog posts about security, and more, from Snyk.
  • We've made some improvements to our Slack notifications to make them more useful and actionable.

  • Josh Emerson's avatar Josh Emerson

    We’ve just released a shiny new API endpoint that will let you import your repositories, projects, functions and apps so that they are monitored for vulnerabilities.

  • Simon Maple's avatar Simon Maple
    &
    Matt Raible's avatar Matt Raible

    This month’s cheat sheet is about how you can secure your Spring Boot application. Spring Boot has dramatically simplified the development of Spring applications. Its autoconfiguration and starter dependencies reduce the amount of code and configuration you need to begin an app. If you were used to Spring and lots of XML in back in the day, Spring Boot is a breath of fresh air.

  • Danny Grander's avatar Danny Grander
    &
    Simon Maple's avatar Simon Maple

    In June 2018, the Snyk research team found many exploitable instances of the Zip Slip in various ecosystems that affected thousands of applications. This kind of wide reaching vulnerability requires a well thought out private disclosure process so that vulnerable libraries and projects are warned about their exposure before public disclosures are made. This post goes into the details of what we did throughout the process from discovery to disclosure, creating fix PRs and beyond.

  • Joran Greef's avatar Joran Greef
    &
    Simon Maple's avatar Simon Maple

    It's true you can crash an email server with a single email! This guest blog post talks about a vulnerability found in the top five Node mail parsers that will bring each of them down just by clicking send. Joran Greef explains how he found the vulnerability while he was writing his own mail parser and how he disclosed via Snyk's security team.

  • The time has come for you to take responsibility of your application security. This may sound daunting to some of you, but don’t fret! There are many resources available to you, including The Secure Developer podcast, run by Snyk’s very own CEO, Guy Podjarny

  • Simon Maple's avatar Simon Maple

    Zip Slip is a form of a Directory Traversal that can be exploited by extracting files from an archive. This cheat sheet informs you of vulnerable libraries and code snippets that are exploitable to a Zip Slip attack. Additionally it provides you with the information you need to upgrade to fixed library versions and offers tips on how to find and fix your own vulnerable code.

  • Today Snyk released a container vulnerability management solution which empowers developers to fully own the security of their dockerized application!

  • In this post we’ll look at the most common types of vulnerabilities for two of the main ecosystems we track in our vulnerability database, namely Maven Central and npm. The Snyk Vulnerability database consists of vulnerabilities from over 1,000,000 open source packages we track that use Composer, Go, Maven Central, npm, NuGet, pip and Rubygems.

  • Anna Debenham's avatar Anna Debenham

    Over the past few months, we’ve been working closely with customers who use Snyk alongside various issue trackers as a way of managing their vulnerability remediation process. Today we have launched this Jira integration for all our Pro and Enterprise plan customers.

  • One of our most frequent feature requests recently has been for the ability to generate an API token that isn't tied to a particular user. We're really excited to be able to now offer our Pro and Enterprise customers the ability to create Service Accounts – a special type of user that has an API token associated with it.

  • The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects.

  • Simon Maple's avatar Simon Maple
    &
    Tom Preston-Werner's avatar Tom Preston-Werner

    Your source code should be one of your prize possesions. You must protect it with security processes and practices to ensure you don't put your code or users at risk. This cheat sheet covers 10 best practices you should consider implementing in your GitHub repository or organisation to enforce security on your projects.

  • We’re extremely humbled and honored to have Gartner name Snyk as a May 2018 Cool Vendor in Application and Data Security!

  • Simon Maple's avatar Simon Maple
    &
    Andrew Binstock's avatar Andrew Binstock

    We’re excited to launch the a brand new survey called the JVM Ecosystem Survey 2018 in partnership with the Java Magazine. Also, if we reach 2,500 responses, we'll give $2000 to Devoxx4Kids!

  • Skyscanner today monitors nearly 500 separate projects with Snyk, and is able to understand the state of their security as well as address both their vulnerability and licensing issues. This case study shows why Skyscanner chose to use Snyk and the benefits they see every day.

  • Stuart Marks's avatar Stuart Marks
    &
    Simon Maple's avatar Simon Maple

    One of the main features in Java 10 in Local Type Inference, which allows us to substitute a type with the var reserved word in our source code. However, in order for this to become a feature that is useful to a developer rather than a feature developers will rue for many years to come, we need to learn how to use it and when to use it properly. This cheat sheet and blog is a reduced version of an blog post that Stuart Marks wrote on the OpenJDK site.

  • Guy Podjarny live hacks a Node.js application to exploit vulnerabilities in real world packages. In this edited down video from the JSKongress conference. Guy explains where some of the most common JS security pitfalls exist.

  • Snyk identified and responsibly disclosed a directory traversal vulnerability found in FTP clients that connect to malicious servers. This post contains the full details of the vulnerability and what you can do to avoid it.

  • Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome's Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site is.

  • Anna Debenham's avatar Anna Debenham

    The most common way for Snyk users to find out that they have an issue in their project is via our email alerts. It’s a core part of our service, but until recently, we didn’t have much in the way of configuration around what types of issues would trigger an email alert. As we scale our language support, enabling you monitor more projects in Snyk, we want you to feel better informed about the types of issues that matter to you, while making less noise about the issues that don’t.

  • DigitalOcean found and fixed a critical vulnerability within one day of disclosure using Snyk's automated remediation system.

  • Comic Relief integrated Snyk into their Concourse CI Serverless deployment pipeline which allows even the most junior of developers use open source securely by remediating any vulnerable libraries before they go to production.

  • I'm excited to announce our $7M Series A, and feel this is a great opportunity to say thanks!

  • We’ve just launched a new feature for our Pro and Enterprise Plan customers that adds an additional layer of hierarchy to make it possible to split your organisation in Snyk into teams, who can manage different projects. This has been a popular request from our customers and we’ve been building and refining it for months. We’re very excited to now be able to offer it.

  • Anna Debenham's avatar Anna Debenham

    Ignoring security issues shouldn't be the default action, but it is sometimes necessary. Snyk only validates vulnerabilities that exist in dependent components, so it has a relatively low false-positive rate (which should reduce the need to ignore), but there are still reasons why you may wish to suppress an issue.

  • Guy Podjarny's avatar Guy Podjarny

    A vulnerability is a vulnerability, whether known or not. The key difference between the two is the likelihood of an attacker to be aware of this vulnerability, and thus try to exploit it.

  • You can't go to a security event nowadays and not hear at least a few speakers say the phrase "DevSecOps". The term has turned into a rallying cry for an approach that automates security throughout the development process. But in order for DevSecOps to succeed, it will first have to die.

  • Danny Grander's avatar Danny Grander

    The best solution for known vulnerabilities is to upgrade your software. But sometimes there's not a security update immediately available. The next best solution is to patch your software. In this post, we go through four ways to find security patches for open source software.

  • Open source maintainers give up their own time to create great pieces of free software, which we then use to create business value. In our State of Open Source Security Report, open source consumers and maintainers were asked about their security expertise, actions and sense of ownership—and the results were very mixed.

  • Locking or “pinning” dependencies is a widespread best practice in Ruby, Python, and other ecosystems. In Node.js locking was much less widespread, until recently, thanks to the improvements provided by package-lock.json and yarn.lock. This post discusses how each of these solutions works and why you may want to use them.

  • Stop building security tools that think about dev, and start building dev tools that handle security.

  • The Snyk API gives you access to all the issues associated with a given project. In this post, you'll learn how to use the API to fetch the organisations you have access to, the projects for a given organisation, and all the issues for a given project.

  • Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we're taking another leap forward and launching support for .NET, Go and PHP!

  • The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we'll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependecies.

  • Bower is no longer the dependency manager of choice for front-end projects. While the open source project is still maintained, its creators decided to deprecate it, and have advised how to migrate to other solutions. In this post, we explain why Bower used to be great, list six reasons why it isn't necessary anymore, and explain how to move on to newer and better technologies.

  • Last week, we released our first annual State of Open Source Security report. One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability. In this post, we take a deep dive into that problem space.

  • Today we're excited to launch the 2017 State of Open Source Security Report! The full report is available as a free PDF, and the highlights are collected online.

  • Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.

  • Geva Solomonovich's avatar Geva Solomonovich

    One of the biggest bottlenecks in security is 'triaging'—the process of validating if a security alert is actually impacting your organization, sizing up the estimated impact, and figuring out how to resolve it. In this article, we'll make the case that we should all be striving to skip triaging and focus on fixing vulnerabilities instead.

  • In this post we review and compare the Apache, BSD and MIT license to see what to use in your own project, and when.

  • Earlier this year we ran a test on the top 5,000 URL's on the web and found that 76.6% of them were running a JavaScript library with at least one known security vulnerability. It's a frighteningly large number. That's why we're proud to announce that Snyk now powers the vulnerable JavaScript libraries linter in Microsoft's Sonar—an open-source linting tool for developers.

  • Danny Grander's avatar Danny Grander

    Python 3 and Python 2 have various functional differences. On their own, they’re not necessarily better or worse (though arguably Python 3 should be an improvement), but any change may introduce risk. This post highlights and explains a few differences between the versions that have security implications.

  • Geva Solomonovich's avatar Geva Solomonovich

    Where just a few months ago we launched Snyk for Serverless, we are now taking it to the next level by launching the Snyk Heroku Add-On. The add-on is currently in beta, which means it's free to try out! We're looking for people to take it for a test drive and provide us with some feedback.

  • Ellen Van Keulen's avatar Ellen Van Keulen

    After years of preparation and debate, the General Data Protection Regulation (GDPR) was finally approved by the EU with enforcement starting as early as May 2018, at which time those organisations in non-compliance will face heavy fines. In this post we explain how that impacts companies using open-source and how they can protect themselves.

  • Earlier this week, we kicked off The State of Open Source Security survey. Our goal is to help all of us understand where we stand when it comes to building and consuming open source in a way that keeps us and the data we hold safe.

  • Aner Mazur's avatar Aner Mazur

    Today we're happy to announce the great features we’ve added for the teams developing and securing software within the Enterprise. We especially focus on Enterprises who recognise that security should be included as early as possible and throughout the developer lifecycle, who want it to be incredibly easy for both their development teams and security teams to use, and who want their developers to fix vulnerabilities, not just find them.

  • Equifax, a credit monitoring giant, disclosed last week it was breached, exposing highly personal data of _143 million_ people. The breach root cause was a vulnerable version of an open source library called Struts. How can you handle such vulnerable libraries in your apps?

  • With Snyk support for Bitbucket Server now out of beta, you can tightly integrate Snyk with your Atlassian workflow from start to finish—from easily monitoring your projects, to integration with Bitbucket pipelines and even JIRA Software ticket creation.

  • Since we launched nearly two years ago, Snyk has been focused on making it easier to use open-source code without compromising security. Today, we're taking another leap forward and launching support for Scala, Python and Gradle!

  • Running `snyk test` out of the box will scan your application's dependencies and test to see if any of them contain known vulnerabilities. In this post, we discuss how you can customize the results using the `--json` option a few free tools.

  • Today we're happy to announce that we've launched support for testing Cloud Foundry applications for known vulnerabilities in your deployed code! Find us at Cloud Foundry Summit for a first-hand demo.

  • Guy Podjarny's avatar Guy Podjarny

    It’s been over 10 years since Cross Site Scripting (XSS) became big news, awareness has grown and defenses have become much more sophisticated. But, as we show in this post, recent data indicates XSS attacks are only increasing.

  • Guy Podjarny's avatar Guy Podjarny

    Hot on the heels of the launch of Snyk serverless integration for Heroku and AWS Lambda, we are launching our next integration with Bitbucket Server, Atlassian’s Git solution for professional teams. The integration is currently in beta, and we're looking for people to take it for a test drive and provide us with some feedback.

  • Snyk Enterprise is now available on the UK government G-Cloud digital marketplace! Government services can now easily use Snyk to protect their applications against known vulnerabilities in their dependencies—an increasingly important consideration.

  • The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals, but it doesn't currently take into account how often those vulnerabilities are used by hackers. We dug through security breach records to see which vulnerabilities are exploited most frequently.

  • Today Guy Podjarny had the pleasure of presenting at the amazing ServerlessConf in Austin, Texas about security in a serverless world. Here are the slides from his talk, "Serverless Security: What's Left to Secure?"

  • Guy Podjarny's avatar Guy Podjarny

    Today we're excited to announce Snyk's new solution for securing your serverless functions, designed to easily integrate and protect serverless-based applications! The initial launch features tight integration with both AWS Lambda and Heroku. We're also working closely with Google, Red Hat and others to integrate directly with their platforms in the coming months.

  • By its very nature, Serverless (FaaS) addresses some of today's biggest security concerns but it doesn't fix it all. This post outlines the top areas where Serverless helps or hinders our security efforts, offering advice on how to address concerns and thoughts on what's to come next.

  • Guy Podjarny's avatar Guy Podjarny

    Last November, we announced that in addition to Node.js support, we were adding support for Ruby. And now it's time to expand yet again. Today we're excited to announce Snyk's support for Java and other Maven supporting languages!

  • To do security well, you have to do it continuously, and here at Snyk we want to make that easy. That's why we changed our pricing, removing our project limit and letting you protect all your apps with a few small clicks!

  • The other week a paper was released that reported that about 37% of sites included at least one JavaScript library with a known vulnerability. We ran our own test and discovered that the reality is much worse—76.6% of sites were using at least one vulnerable library.

  • This is the first of a series of posts about Type Manipulation, each demonstrating one or more real-world vulnerabilities made exploitable by manipulating types, and explaining how it could have been avoided. In this post, we'll focus on using type manipulation to circumvent template-frameworks sandboxes.

  • Peter Benjamin recently built a fantastic VS Code plugin or Snyk. We asked him a few questions about the plugin and how and why he built it.

  • Last month, we added a high-severity Prototype Override Protection Bypass vulnerability in the qs package to our database. The fix was released in updated versions of the library about a week ago. This post explains the vulnerability and how to mitigate it.

  • An interesting whitepaper was released at the 2017 NDSS Symposium discussing a large-scale attempt at determining just how vulnerable client-side JavaScript libraries are. We wanted to share some of our thoughts on the report.

  • Geva Solomonovich's avatar Geva Solomonovich

    Today we're excited to announce the integration of the Snyk Vulnerability Database with JFrog's Xray.

  • As a security-focused startup, keeping their own application secure is absolutely mission critical for Voltos. In this guest post, Glenn Gillen talks about how Voltos is using Snyk to keep their dependencies free of known vulnerabilities.

  • We recently added a pair of high-severity XML External Entities (XXE) vulnerabilities found in the Nokogiri library to our vulnerability database. This post explains how the vulnerability works and discusses how to fix the exploit in your application.

  • Disclosing vulnerabilities ethically and efficiently is critical to improving the state of security online. In this post we discuss the idea of "responsible disclosures" and why it matters.

  • Doug Wade built a plugin for using Snyk in your Gulp build process. We were really excited to stumble upon the plugin, so we wanted to talk to Doug to hear a little more about it.

  • Karen Yavine's avatar Karen Yavine

    Today we're open-sourcing, pkgbot—a Slack bot for gathering information about Node and Ruby dependencies.

  • The level of danger when it comes to regular expressions and security is quite high. In this post we explain what a regular expression denial of service is and how to prevent them from happening.

  • Guy Podjarny's avatar Guy Podjarny

    Since Snyk launched in late 2015, we've supported testing applications anonymously. Today, we released a new version that requires a (free) registration and authenticating before testing. Here's why we did it.

  • There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.

  • Jesse Houwing recently published a really helpful Visual Studio Team Services (VSTS) task, making it easier to get Snyk incorporated into your VSTS workflow. We think it's pretty awesome that he built it, so we wanted to learn a bit more about the task and how he did it.

  • Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby.

  • We recently added support for Ruby projects to Snyk. The difference between version handling in RubyGems and npm presented a few challenges along the way. This blog post describes those differences, the problems they caused, and how we resolved them.

  • A high-severity remote code execution vulnerability was found in the `EJS` npm package. Here's how it works, and how to fix it.

  • Josh Emerson's avatar Josh Emerson

    Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of NPM gave a talk titled "A brief history of modularity", which we felt was particularly relevant to Snyk, and so we thought we'd share a summary of the talk here.

  • Guy Podjarny's avatar Guy Podjarny

    After a year of helping Node and npm developers be secure and tuning Snyk's products, we're ready to expand. Today, we're announcing Snyk support for Ruby!

  • Tim Kadlec's avatar Tim Kadlec

    To simplify the task of keeping dependencies in your Serverless application free of known vulnerabilities, we're launching the Serverless Snyk plugin.

  • In the latest episode of The Secure Developer, Sabin Thomas and Guy Podjarny discuss the difference between security tools aimed at security people, vs building security tools developers love

  • Tim Kadlec's avatar Tim Kadlec

    Yarn markets itself as “ultra fast”, “super reliable” and “mega secure”. While it’s true that Yarn is often much faster, and that the new lockfile ensures more consistency when your application is installed, the security claims are a little over-optimistic.

  • Well over 80% of successful exploits today occur due to unpatched servers. Approaches such as Serverless & PaaS should dramatically reduce the risk of outdated binaries. Unfortunately, this transition does nothing to secure open source code packages.

  • At Snyk, our goal is to build security tools that easily fit with your existing workflow. This is why we’re excited to announce Snyk for Bitbucket Pipelines, making it easy to stay secure if you’re managing your work with the Atlassian product stack.

  • We all want to build security into our dev process, but how? The new "The Secure Developer" brings dev leads, AppSec thought leaders and security tools builders to share experiences, techniques and tools to help you build security in.

  • Johanna Kollmann's avatar Johanna Kollmann

    If Slack is your team's go-to communication tool, we have good news: you can now get Snyk's security alerts in Slack!

  • What should I defend my application against? Should I deal with Cross-Site Scripting (XSS) attacks? How about SQL injection? Should I protect myself against cross-site request forgery? The short answer is yes. But as always, it's not that simple.

  • Much has been written about ES2015 - with its arrow functions, scoped variable declarations and controversial classes. However, a certain feature has received little love so far: the Proxy.

  • How can we evolve Security as we did Ops into DevOps, who owns open source security and why aren't developers owning security yet? All that and more in this O'Reilly Security podcast episode

  • Great engineering teams ship fast and employ Continuous Delivery practices. Having an agreed time constraint for releases within the team removes obstacles such as complex merges and low quality of code.

  • Guy Podjarny's avatar Guy Podjarny

    Snyk partners with bitHound to help its users find vulnerable dependencies and take action!

  • Guy Podjarny's avatar Guy Podjarny

    Over 20 years after its incept HTTPS, is finally breaking through. In the last year alone, HTTPS adoption has more than doubled! This is a moment for celebration and learning, and this post digs into the data and the lessons we can learn from it

  • Anna Debenham's avatar Anna Debenham

    Having a style guide means we can assemble templates more quickly, and we're less likely to unintentionally build the same thing more than once. We use it a lot for referencing colours, or grabbing some markup for a button or checkbox.

  • Creating Snyk's GitHub integration, released in late June, helped clarify the different steps to truly address vulnerable dependencies, both immediately and in a continuous fashion. These steps are consistent across packaging systems, from npm to Maven to Chef cookbooks. This post explains each step, why they are needed, and how to apply them with Snyk.

  • After 343,000 vulnerability tests, 71,000 applied patches and 4,500 alerts, Snyk is ready to graduate out of Beta! In addition, we're launching two exciting new features, GitHub Integration and Organisations, and offering new premium plans - try them out!

  • Guy Podjarny's avatar Guy Podjarny

    We often talk about the growing number of npm dependencies, and how they make us productive and fast or fragile and insecure. But what exactly is an npm dependency? This post defines the ways to look at an npm dependency.

  • Using a programmable SQL interface such as an ORM (Object Relational Mapping) is a good way to reduce risk of SQL Injection, which is a very bad vulnerability to have. However, ORM packages are not bullet proof. This post explains why you shouldn't put all your SQL Injection protection eggs in the ORM basket, and what more can you do.

  • Get notifications about new vulnerabilities in Node.js and front-end npm packages via Slack, email, Twitter, Trello or text messages.

  • Guy Podjarny's avatar Guy Podjarny

    A recently published vulnerability in the npm `marked` package shows how attackers can use the flexibility of the Markdown format to introduce Cross-Site Scripting vulnerabilities. This post explains the issue and the fix, and discusses the difficulty of sanitizing complex user input.

  • Multiple severe and trivially exploited vulnerabilities in ImageMagick were disclosed earlier this week, and are known to be exploited in the wild. As there is no official fix yet, we created a package called imagemagick-safe, which disables the vulnerable features, protecting against the known exploits.

  • Test for vulnerabilities — and then monitor — any public Node.js GitHub repo.

  • Guy Podjarny's avatar Guy Podjarny

    Hidden between the wonders of Node lies a ticking bomb by the name of Buffer. If handled incorrectly, this risky class can easily leak server side memory, and with it your secrets and keys. In this post, we’ll explain how Buffer works, show a sample vulnerability and exploit, and explain how you can protect your own application.

  • Guy Podjarny's avatar Guy Podjarny

    Last week, CERT alerted users to the risk of publishing or consuming a malicious npm package. This important risk is not unique to npm, but it is more likely to happen in this ecosystem. This post explains the risk and how you can protect yourself.

  • Guy Podjarny's avatar Guy Podjarny

    Yesterday, Azer Koçulu unpublished a large number of popular packages. Unpublishing allowed malicious actors to grab those package names, and get an immediate footprint on many applications across the web. We modified our tool to help you detect whether your dependencies are exposed to this risk.

  • Until recently Snyk's CLI tool only supported npm@2. That all changed when we released snyk@1.9.0 and added full support for the new npm@3 directory structures. In this post, Remy shares some of the technical challenges involved and the new tooling that came out of the process.

  • A little over 3 years ago, a few friends and I started a group called pasten to participate in the Chaos Computer Club's Capture The Flag (CTF) competition. It is a jeopardy style CTF, where the participating teams need to solve security related challenges in various categories such as exploitation, reverse engineering, web, forensic & crypto.

  • Earlier this month, a researcher named ChALkeR shared his research on leaked credentials in npm packages. The findings showed credentials, such as npm and GitHub tokens and passwords, are frequently included in published npm packages or GitHub repositories. In fact, 13 of the top 15 npm packages depend on packages that leaked credentials, thus exposing their users.

  • Guy Podjarny's avatar Guy Podjarny

    I'm excited to announce Snyk is now live! Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.

  • Guy Podjarny's avatar Guy Podjarny

    HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications