hello.js

var please = require('share');
console.log('thank you');

Thursday, 9 March, 2017 UTC

The Frequency of Known Vulnerabilities in JavaScript

The Frequency of Known Vulnerabilities in JavaScript

There’s an interesting whitepaper from last week’s NDSS Symposium that discusses a large-scale attempt at determining just how vulnerable client-side JavaScript libraries are. The study involved analyzing JS code across over 133,000 different websites. ... more


Tuesday, 28 February, 2017 UTC

Announcing Snyk's Integration with Xray

Announcing Snyk's Integration with Xray

We’re big fans of open-source development at Snyk. It’s why we built Snyk in the first place: so people could safely use open-source dependencies without compromising security in the process. That’s why we’re excited to announce our integration with ... more


Thursday, 23 February, 2017 UTC

How Voltos Uses Snyk to Secure Their Own Security Product

How Voltos Uses Snyk to Secure Their Own Security Product

This is a guest post from Glenn Gillen. Glenn is one of the co-founders of Voltos, a service to help you securely manage your apps and service credentials, and is a co-contributor to the online course Tiny Security Wins: Quick steps to secure your dev ... more


Thursday, 26 January, 2017 UTC

Building the Gulp Snyk plugin, an interview with Doug Wade

Building the Gulp Snyk plugin, an interview with Doug Wade

Doug Wade (@AShedOfTools) is a Senior Front-End Engineer at Indeed. Doug built the wonderful gulp-snyk plugin, which lets you seamlessly include Snyk in your Gulp build process. We were really excited to stumble upon the plugin, so we wanted to talk ... more


Thursday, 19 January, 2017 UTC

Introducing pkgbot!

Introducing pkgbot!

As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m ... more


Tuesday, 17 January, 2017 UTC

Regular Expression Denial of Service and Catastrophic Backtracking

Regular Expression Denial of Service and Catastrophic Backtracking

Regular expressions are incredibly powerful, but you would be hard pressed to find anyone who believes they’re very intuitive. Sure, there’s that one developer you know who’s excellent at it, but most developers know just enough to be dangerous. Unfortunately, ... more


Thursday, 12 January, 2017 UTC

Requiring authentication in Snyk CLI

Requiring authentication in Snyk CLI

Since Snyk launched in late 2015, we’ve supported testing applications anonymously. Today, we released a new version that requires a (free!) registration and authenticating before testing. This post explains why we made this change, and how it affects ... more


Thursday, 22 December, 2016 UTC

Building the VSTS Snyk task, an interview with Jesse Houwing

Building the VSTS Snyk task, an interview with Jesse Houwing

Jesse Houwing (@jessehouwing) is a Lead Consultant at Xpirit. Recently he published a really helpful Visual Studio Team Services (VSTS) task making it easier to get Snyk incorporated into your VSTS workflow. We think it’s pretty awesome that he built ... more


Monday, 19 December, 2016 UTC

Announcing Snyk CLI for Ruby, and more ways to fix Ruby vulnerabilities

Announcing Snyk CLI for Ruby, and more ways to fix Ruby vulnerabilities

Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby: Snyk’s CLI now supports both Node.js and Ruby Fix vulnerabilities with upgrades that require modifying ... more


Wednesday, 14 December, 2016 UTC

Differences in version handling between RubyGems and npm

Differences in version handling between RubyGems and npm

RubyGems and npm are the de facto standard package managers for Ruby and Node.js. At first glance they seem similar (because they are!), but when building a product that interacts with both of them, there are subtle difference that need to be taken into ... more


Wednesday, 30 November, 2016 UTC

Fixing a Remote Code Execution Vulnerability in EJS

Fixing a Remote Code Execution Vulnerability in EJS

This week we added a high-severity Remote Code Execution vulnerability in the EJS package to our vulnerability database. EJS (Embedded JavaScript Templates) is a fast, simple and very popular JavaScript templating engine. EJS provides a few different ... more


Monday, 21 November, 2016 UTC

A brief history of modularity

A brief history of modularity

Just over a week ago, we were sponsors at the Brighton conference, ffconf. It was a day full of brilliant talks, both thought provoking and useful. Ashley Williams of NPM gave a talk titled “A brief history of modularity”, which we felt was particularly ... more


Thursday, 10 November, 2016 UTC

Announcing Snyk for Ruby

Announcing Snyk for Ruby

In the year since Snyk launched, we’ve been busy focusing on securing Node.js applications. Since that time our open-source database of npm package vulnerabilities has grown to 165, nearly a million tests have been run by our users, and we are continuously ... more


Thursday, 3 November, 2016 UTC

Launching Serverless Snyk

Launching Serverless Snyk

Today we’re releasing the Serverless Snyk plugin—a plugin for the Serverless framework that helps you to prevent vulnerable packages in your application, using Snyk! In a Serverless environment, outdated server binaries are no longer the most glaring ... more


Tuesday, 25 October, 2016 UTC

Yarn is Micro Secure

Yarn is Micro Secure

A few weeks ago, Facebook announced the open-source release of Yarn: a new client for the npm registry. While a few folks expressed concern, it appears to be a solid example of open-source development. Facebook, Google, Exponent and Tilde had similar ... more


Thursday, 20 October, 2016 UTC

Fixing Serverless Security Vulnerabilities

Fixing Serverless Security Vulnerabilities

Well over 80% of successful exploits today occur due to unpatched servers. With modern approaches such as Serverless & PaaS, the servers and their binaries will be managed by more dedicated and professional teams, which should dramatically reduce ... more


Tuesday, 11 October, 2016 UTC

Launching "The Secure Developer" Podcast

Launching "The Secure Developer" Podcast

Most would agree we should build more security into our development practices. Between the increasing pace of development, the shortage of security practitioners and the fact most vulnerabilities are simply bugs, it seems clear we should build security ... more


Wednesday, 31 August, 2016 UTC

Threat Modelling For Node.js Applications

Threat Modelling For Node.js Applications

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Wednesday, 31 August, 2016 UTC

Threat Modelling For Node.js Applications

Threat Modelling For Node.js Applications

This article is a guest post from Gergely Nemeth, CEO at RisingStack, building Trace by RisingStack to monitor and debug Node.js applications and microservices. What should I defend my application against? Should I deal with Cross-Site Scripting attacks? ... more


Tuesday, 23 August, 2016 UTC

Using ES2015 Proxy for fun and profit

Using ES2015 Proxy for fun and profit

Much has been written about ES2015 - with its arrow functions, scoped variable declarations and controversial classes. However, a certain feature has received little love so far: the Proxy . As JS developers, we’re not used to relying on trapping mechanisms ... more


Monday, 22 August, 2016 UTC

Using ES2015 Proxy for fun and profit

Using ES2015 Proxy for fun and profit

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Wednesday, 27 July, 2016 UTC

Enriching bitHound with Snyk

Enriching bitHound with Snyk

Dependencies are extremely powerful, but also open up a world of complexity. To successfully secure these packages in your application, you need to consider security as a natural aspect of quality. This means embedding it into your suite of quality tools ... more


Thursday, 7 July, 2016 UTC

4 steps to address vulnerable dependencies

4 steps to address vulnerable dependencies

A couple of weeks back, we released Snyk’s tight GitHub integration. While building it, we were keen to make it as easy as possible to address known vulnerabilities, and explored the simplest and clearest actions you need to take to get it done. We eventually ... more


Wednesday, 22 June, 2016 UTC

Out of Beta, plus exciting new features

Out of Beta, plus exciting new features

It’s been nearly 8 months since we first launched Snyk at the Velocity Amsterdam conference. Since then, we’ve registered over 343,000 security tests, and 76% of users found vulnerabilities in their apps. Snyk patches were applied 71,000 times, closing ... more


Thursday, 16 June, 2016 UTC

The 5 dimensions of an npm depedency

The 5 dimensions of an npm depedency

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object ... more


Thursday, 16 June, 2016 UTC

The 5 dimensions of an npm dependency

The 5 dimensions of an npm dependency

We often talk about the growing number of npm dependencies, and how they make us productive and fast on one hand, but fragile and potentially insecure on the other. But what exactly is an npm dependency? At Snyk, our product focuses on securing dependencies, ... more


Wednesday, 8 June, 2016 UTC

Fixing SQL Injection: ORM is not enough

Fixing SQL Injection: ORM is not enough

One of the most dangerous and widespread vulnerability types is SQL Injection, which gives attackers access to your backend database. Using prepared statements and Object-Relational Mapping (ORM) is a good way to defend against SQL injection, but it’s ... more


Thursday, 2 June, 2016 UTC

5 Ways to Get Node.js Vulnerability Alerts

5 Ways to Get Node.js Vulnerability Alerts

[object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object][object Object] ... more


Thursday, 2 June, 2016 UTC

5 Ways to Get Node.js Vulnerability Alerts

5 Ways to Get Node.js Vulnerability Alerts

Here at Snyk, we maintain a database of known vulnerabilities in Node.js and front-end npm packages, called VulnDB (also on GitHub). For each vulnerability, it includes a description of the vulnerability, additional references, and most importantly, ... more


Monday, 16 May, 2016 UTC

Fixing `marked` XSS vulnerability

Fixing `marked` XSS vulnerability

A few weeks ago we added to our DB a Cross-Site Scripting (XSS) vulnerability in the popular marked package. This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your application. marked ... more