10 Eclipse plugins you shouldn’t code without

Developers primarily work from their favorite IDE (integrated development environment). For that reason, good IDE extensions and plugins are becoming more and more important. For this blog, I examined Eclipse IDE plugins and then narrowed it down to ... more

Staying ahead of security vulnerabilities with security patches

Traditionally, as part of the software development workflow, teams typically release new versions of their packages or apps in order to fix security issues as they arise. With open-source projects however, because maintainers are usually volunteers and ... more

How to increase Serverless observability, monitoring and security

Functions are often short-lived and deployed in large numbers and are invoked more and more frequently as you scale. For these reasons, it is easy to lose track of the flow of events or to pinpoint the root cause for any given error. On top of that, ... more

Concerns of supply-chain attacks amplify as remote code execution was found in Ruby gem strong_password

On July 5th, 2019, the CVE-2019-13354 security advisory was published for a malicious version of the strong_password Ruby gem which allows for remote code execution in applications bundling the vulnerable dependency. We have already added the vulnerability ... more

Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash

On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team. UPDATE: lodash published version ... more

Serverless is great, but what about the security of my AWS Lambda functions and their dependencies?

Function as a Service (FaaS) platforms patch your operating system dependencies for you, but do nothing to secure your application dependencies, such as those pulled from npm, PyPI, Maven and the likes. These libraries are just as prevalent and just ... more

Yet another malicious package found in npm, targeting cryptocurrency wallets

Cryptocurrency wallet developer Komodo has been in the news recently as the most recent victim of an attempted cryptocurrency attack by malicious code injection via npm dependencies. The EasyDEX-GUI project which provides a graphical user interface (GUI) ... more

What’s new in Snyk?

May 21st – June 9th, 2019 Here’s the first installment of our bi-weekly updates on what’s new in Snyk. What’s new? Container security We launched our integration with Docker Hub earlier this year; now we’ve embarked on adding more and more features and ... more

npm passes the 1 millionth package milestone! What can we learn?

June 4th is a historic date. Not only is it our very own Liran Tal’s birthday (Mazal Tov, Liran!) but it is also the date that the millionth package was indexed into the npm registry. npm is a package manager for JavaScript packages. The core component ... more

10 Serverless security best practices

In this instalment of our cheat sheet series, we cover best practices for securing your serverless deployments. DOWNLOAD THE CHEAT SHEET So let’s get started with our list of 8 Azure Repos security best practices: Patch function dependencies Adopt the ... more

Dependency Health—assessing package risk with Snyk

Snyk’s goal is to help you use open source in a secure way. Vulnerabilities are one indicator that a dependency is unhealthy, but there are other risk factors at play as well. For that reason, we have a whole team working on making Snyk the go-to destination ... more

Scoring security vulnerabilities 101: Introducing CVSS for CVEs

Similar to how software bugs are triaged for a severity level, so are security vulnerabilities, as they need to be assessed for impact and risk, which aids in vulnerability management. The Forum of Incident Response and Security Teams (FIRST) is an international ... more

A Denial of Service vulnerability discovered in the Axios JavaScript package – affecting all versions of the popular HTTP client

axios is a popular promise-based modern JavaScript HTTP client which is commonly used for browser and Node.js server projects, receiving more than 3 million weekly downloads from npm. Snyk logged a Denial of Service medium severity (5.3 CVSS) security ... more

Add a SECURITY.md file to your Azure Repos

The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 4. Add a SECURITY.md file to your Azure Repos It’s natural for most project owners and maintainers to add a README.md for their ... more

Azure Repos enriched with DevSecOps capabilities

We are excited to share that starting today, developers can test, fix and monitor their Azure Repos projects for open source vulnerabilities. Native detection of vulnerabilities within Azure Repos Snyk helps you detect existing vulnerabilities in your ... more

How much do we really know about how packages behave on the npm registry?

In the State of Open Source Security Report 2019 we shared the details of language-based package repository growth over the last few years. As we showed, npm comes out on top every year by a landslide. At the time this article was written, npm boasted ... more

The top two most popular Docker base images each have over 500 vulnerabilities

Welcome to the Docker security report “Shifting Docker security left”. This report is split into several posts: Shifting Docker security left The top two most popular Docker base images each have over 500 vulnerabilities 80% of developers are not addressing ... more

After three years of silence, a new jQuery prototype pollution vulnerability emerges once again

On March 26th, 2019, almost three years after the last jQuery security vulnerability was disclosed, we recently learned about a new security vulnerability affecting the same popular jQuery frontend library. This security vulnerability referred to and ... more

Cheat sheet: 10 Bitbucket security best practices

In this cheat sheet we’ll cover how you can be more secure as a Bitbucket user or contributor. Some of it is specific to Bitbucket, but a lot of it is also useful for other Git and non-Git repositories as well. DOWNLOAD THE CHEAT SHEET! So let’s get ... more

Enriched content on Snyk’s publicly available vulnerability database

At Snyk, we’re focused on security and particularly making open source software more secure. As consumers of open source software ourselves, we’re keen to give back to the community where we can, and increase the availability of information about open ... more

Securing Bitbucket Cloud with Snyk

We are excited to share that starting today, developers can import, test, fix and monitor their Bitbucket Cloud projects for open source vulnerabilities Being developer-focused, Snyk is the only solution to provide *native* testing and fixing of open ... more

Introducing experimental integrity policies to Node.js

A recent experimental feature for introducing integrity policies landed in Node.js core 11.8.0. This capability, shipped in non LTS version yet, provides integrity checks for a Node.js runtime when modules are being loaded, in order to verify that the ... more

Do you really know how a lockfile works for yarn and npm packages?

What are package lock files? Package lock files serve as a rich manifest of dependencies for projects that specify the exact version of dependencies to be installed, as well as the dependencies of those dependencies, and so on—to encompass the full dependency ... more

10 Docker Image Security Best Practices

In this installment of our cheat sheets, we’d like to focus on Docker and discuss tips and guidelines that ensures a more secure and quality Docker image process. DOWNLOAD THE CHEAT SHEET! So let’s get started with our list of 10 Docker image security ... more

Secure your build workflow on Bitbucket Pipes with Snyk

We are excited to announce that Snyk now integrates with Bitbucket Pipes, which allows Bitbucket users to secure their continuous integration/continuous delivery (CI/CD) workflow by finding, fixing and monitoring open-source vulnerabilities (vulns) in ... more

81% believe developers should own security, but they aren’t well-equipped

Welcome to Snyk’s annual State of Open Source Security report 2019. This report is split into several posts: Maven Central packages double; a quarter of a million new packages indexed in npm 88% increase in application library vulnerabilities over two ... more

Top ten most popular docker images each contain at least 30 vulnerabilities

Welcome to Snyk’s annual State of Open Source Security report 2019. This report is split into several posts: Maven Central packages double; a quarter of a million new packages indexed in npm 88% increase in application library vulnerabilities over two ... more

ReDoS vulnerabilities in npm spikes by 143% and XSS continues to grow

Welcome to Snyk’s annual State of Open Source Security report 2019. This report is split into several posts: Maven Central packages double; a quarter of a million new packages indexed in npm 88% increase in application library vulnerabilities over two ... more

78% of vulnerabilities are found in indirect dependencies, making remediation complex

Welcome to Snyk’s annual State of Open Source Security report 2019. This report is split into several posts: Maven Central packages double; a quarter of a million new packages indexed in npm 88% increase in application library vulnerabilities over two ... more

88% increase in application library vulnerabilities over two years

Welcome to Snyk’s annual State of Open Source Security report 2019. This report is split into several posts: Maven Central packages double; a quarter of a million new packages indexed in npm 88% increase in application library vulnerabilities over two ... more