Adding security to Nuxt 3

What is Nuxt? Nuxt is an Intuitive Web Framework that allows you to build your next Vue.js application with confidence. It’s an open source framework under MIT license that makes web development simple and powerful. I highly recommend you check out the ... more

OSPO security evolution: The Kübler-Ross Model of open source

What’s in an OSPO? Open Source Program Offices are popping up all over, in recognition of the facts on the ground: open source software (and I would argue open standards as well) plays an enormous role in building and maintaining the software that increasingly ... more

Snyk’s AppSec journey in 2022

Coming off a rough and wild end to 2021 with Log4Shell in all our minds, Snyk jumped out of the gates quickly and began providing the AppSec world with new capabilities that did not disappoint. In this blog, you can review most of the key investments ... more

Dependency injection in JavaScript

Inversion of control (IoC) techniques give developers a way to break out of traditional programming flow, and it offers them more flexibility and greater control over their code. Dependency injection, one form of IoC, is a pattern that aims to separate ... more

NPM security: preventing supply chain attacks

NPM security has been a trending topic in the media in recent years, mostly in reference to npm packages available on the ecosystem rather than the npm registry itself. The increasing security risk, that applies to developers and software we build, makes ... more

Update: OpenSSL high severity vulnerabilities

OpenSSL has released two high severity vulnerabilities — CVE-2022-3602 and CVE-2022-3786 — related to buffer overrun. OpenSSL initially rated CVE-2022-3602 as critical, but upon further investigation, it was reduced to high severity. What is Buffer overrun? ... more

Ruby on Rails Docker for local development environment

Hi there Ruby developers! If you’ve been looking for an effective way to establish a Ruby on Rails Docker setup for your local development environment, then this post is for you. It’s a continuation of our previous article on how to install Ruby in a ... more

Why fuzzing tools should be part of your security toolkit

Fuzzing is a software security testing technique that automatically provides invalid and random input to an application to expose bugs. The goal of fuzzing is to stress the application to cause unexpected behavior, crashes, or resource leaks. It allows ... more

Understanding DNS attacks: Identifying and patching vulnerabilities

The Domain Name System (DNS) translates domain names into IP addresses. Every device and website has an IP address that other devices, websites, and online services use to communicate with it. IP addresses are a string of numbers usually formatted as ... more

How to write your first unit test in JavaScript

Testing code is the first step to making it secure. One of the best ways to do this is to use unit tests, ensuring that each of the smaller functions within an app behave as they should — especially when the app receives edge-case or invalid inputs, ... more

Node.js multithreading with worker threads series: worker_threads tutorial

Node.js provides a single-threaded JavaScript run-time surface that prevents code from running multiple operations in parallel. If your application typically employs synchronous execution, you may encounter blocks during long-running operations. However, ... more

How to make a mock API server in JavaScript

Developing and testing a frontend feature can be difficult, especially when the backend it depends on is not ready. This dependency on a backend API often slows down the development process. In scenarios like this, developing a mock API can save you ... more

Secure JavaScript URL validation

When developers need to handle URLs in different forms for different purposes — such as browser history navigation, anchored targets, query parameters, and so on — we often turn to Java. However, its frequent use motivates attackers to exploit its vulnerabilities. ... more

Reviewing CVE-2022-42889: The arbitrary code execution vulnerability in Apache Commons Text

First things first, let’s be clear that this is NOT a new Log4Shell or Spring4Shell vulnerability . Although it is a remote code execution issue, the impact is neither as severe nor as easily exploitable as the issue in Log4j from December 2021. Similar ... more

How to add Playwright tests to your pull request CI with GitHub Actions

If you’re like me, you really appreciate a test automation step as part of your pull request (PR) CI for that added confidence before merging code. I want to show you how to add Playwright tests to your PRs and how to tie it all together with a GitHub ... more

Ruby email rule removed from Snyk Code

Snyk Code supports various languages important in the cloud native arena, Ruby being among them (and we’ve seen great adoption, so thank you!). Our researchers are constantly monitoring our rule sets, using our training set of open source projects, but ... more

Secure your application from Argo CD to Kubernetes

GitOps is a popular framework for managing and securing the application development pipeline. For many who have embarked on a GitOps journey, a common question is: “how can I secure my pipeline when everything is automated?” The GitOps framework is a ... more

Choosing the best Node.js Docker image

Choosing a Node.js Docker image may seem like a small thing, but image sizes and potential vulnerabilities can have dramatic effects on your CI/CD pipeline and security posture. So, how do you choose the best Node.js Docker image? It can be easy to miss ... more

Explaining the csurf vulnerability: CSRF attacks on all versions

On September 11th, 2022, Snyk published a vulnerability report for the popular CSRF token management csurf npm package. The vulnerability impacts all known versions, which are currently yielding more than 400,000 downloads per week. The vulnerability ... more

10 best practices to containerize Node.js web applications with Docker

Editor’s note: September 14, 2022: Check out our new and improved cheat sheet for containerizing Node.js web applications with Docker! Are you looking for best practices on how to build Node.js Docker images for your web applications? Then you’ve come ... more

Avoiding SMTP Injection: A Whitebox primer

SMTP Injection vulnerabilities are often misunderstood by developers and security professionals, and missed by static analysis products. This blog will discuss how common SMTP Injection vulnerabilities can exist in libraries and applications, and provide ... more

Best practices for creating a modern npm package

Technology is always changing and your processes and practices need to keep up with those changes. So while npm is 12 years old, your practices around npm package creation should hopefully be a lot more modern. If you have a feeling they may be a little ... more

Integrating Snyk Open Source C/C++ security scanning into CI pipelines

Snyk Open Source supports C and C++ scanning for vendored open source dependencies via CLI — and we are happy to share that it is now available via our CI plugins as well. This guide will walk you through integrating C/C++ security scanning within pipelines ... more

The npm faker package and the unexpected demise of open source libraries

Where do open source dependencies go to die, and why do they come to an end? What happened to the npm faker module? Can it happen again? Join me to learn how open source software libraries rise to glory and how they reach their end of life. I’ll also ... more

Solve Hack the Box and other CTF challenges with Snyk

Hack The Box (HTB) is a platform that gamifies cybersecurity training. It’s suitable for aspiring pen testers, as well as developers who want to become security champions — or simply understand the mindset of adversaries a bit better — in order to make ... more

How to build a Slack bot with Zapier and JavaScript to fetch trending topics on Reddit

Reddit is a good place to stay in the loop when it comes to web development news, and if you’re like me, you probably follow subreddits like r/node or r/javascript. I recently found a great way to build a Zapier Reddit integration with just my JavaScript ... more

Securing container applications using the Snyk CLI

When scanning an image you probably want to scan for both operating system vulnerabilities and vulnerabilities in the application dependencies (like npm, pom.xml, package.json etc), in order to get a full picture of the security issues within your images. ... more

Building a secure API with gRPC

A Google remote procedure call (gRPC) is Google’s open source version of the remote procedure call (RPC) framework. It’s a communication protocol leveraging HTTP/2 and protocol buffer (protobuf) technologies. gRPC enables a remote client or server to ... more

Rediscovering argument injection when using VCS tools — git and mercurial

One of the main goals for this research was to explore how it is possible to execute arbitrary commands even when using a safe API that prevents command injection. The focus will be on Version Control System (VCS) tools like git and hg (mercurial), that, ... more

5 ways to secure Drupal 10

Drupal is a popular content management system (CMS) that leading corporations and government agencies use for mission-critical applications. With a supportive community of developers, robust security, multilingual support, compliance with WCAG guidelines, ... more