Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

August 2022

Best practices for containerizing .net applications

Containerization with Docker has become a major trend in web application development that many.NET developers have adopted. There are many compelling advantages for developers and DevOps engineers to containerize.NET applications, even when working with the older.NET Framework 4.x versions. However, if we don’t know how to use containers properly, we’ll experience little benefit from them.

Securing container applications using the Snyk CLI

When scanning an image you probably want to scan for both operating system vulnerabilities and vulnerabilities in the application dependencies (like npm, pom.xml, package.json etc), in order to get a full picture of the security issues within your images. Until now, when using the Snyk Container test/monitor commands to scan images you had to specify the --app-vulns flag in order to scan for application vulnerabilities.

How to build a Slack bot with Zapier and JavaScript to fetch trending topics on Reddit

Reddit is a good place to stay in the loop when it comes to web development news, and if you’re like me, you probably follow subreddits like r/node or r/javascript. I recently found a great way to build a Zapier Reddit integration with just my JavaScript knowledge — so I can share those trending Reddit posts in my team’s channel. In this article you’ll learn.

How Malicious NPM Packages Make Your Apps Vulnerable

During this live stream we had a conversation with Zbyszek Tenerowicz (ZB) where he discuss how we can be susceptible to malicious packages as developers. Didn't catch the live stream? Ask all of your Snyk questions, and we’ll do our very best to answer them in the comment section. Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

Applying the principle of least privilege to Kubernetes using RBAC

The principle of least privilege (PoLP) is a defensive strategy in the software development world. Alternatively called the principle of minimal privilege or the principle of least authority, PoLP ensures that users can only access the systems, processes, networks, and files required to complete their assigned tasks. When properly configured, unauthorized users can’t navigate to restricted application functions or switch roles.

Building Modern Access-Control for Cloud Applications with Or Weis | SnykLIVE Recording

With the growing complexity of modern applications and microservices based architectures getting access-control right has become a huge ongoing pain-point, as companies find themselves reimplementing access-control over and over. Solutions are found in the new tool sets of policy as code, as well as the 5 best practices and open-source tools (e.g. OPA, OPAL, Zanzibar) we can use to face the challenge.

Best practices for container isolation

Containers are a standardized software packaging format that provides a predictable, replicable way to run applications. Container isolation is one of the primary benefits of containerized applications. Using containers enables us to isolate our software from its environment, increasing consistency and reliability across our development and staging environments. You’re probably familiar with — or are using — Docker containers.

Best practices for managing Java dependencies

Creating Java applications is great, and many resources are available. To speed up development, many folks use frameworks and libraries that do some of the heavy lifting. When looking at modern Java applications, almost all of them contain dependencies from libraries developed by someone else. Dependencies take up about 80 to 90 percent of the binary — so, we should take good care of them when creating a Java project.

Building a secure API with gRPC

A Google remote procedure call (gRPC) is Google’s open source version of the remote procedure call (RPC) framework. It’s a communication protocol leveraging HTTP/2 and protocol buffer (protobuf) technologies. gRPC enables a remote client or server to communicate with another server by simply calling the receiving server’s function as if it were local. This makes communicating and transferring large data sets between client and server much easier in distributed systems.

PyPi Malware Stealing Discord and Roblox Payment Info

Raul Onitza-Klugman, Senior Security Researcher at Snyk, joins Kyle to take a deep dive in to the latest set of malicious packages discovered by the Snyk Security Research team. Join us as we discuss how these findings came to be, what they mean for open source security, and some hypotheses about the future of supply chain security.

Stranger Danger: Your Java Attack Surface Just Got Bigger

Building Java applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome, you're a cloud native application developer! As developers, our responsibility broadened, and more software means more software security concerns for us to address.

8 tips for securing containers from source to runtime

Today we’re announcing a new container security cheat sheet and report — created in collaboration with our partner Sysdig. Download cheatsheet In this post, we’ll outline tips to help you successfully navigate the challenges of container security with a focus on three core principles: Traditional security approaches are incapable of handling the distributed and ephemeral nature of containers.

Keeping Docker secrets secure (even if you're not using Kubernetes)

Distributed containerized systems compose applications, resources, services, databases, and other artifacts. These components often need sensitive information such as user keys, passwords, API keys, and certificates to function properly. Secrets management is critical for adequately handling sensitive information and Kubernetes deployments often utilize their built-in Secrets resource type and associated RBAC controls but what if you aren’t deploying on Kubernetes?

Rediscovering argument injection when using VCS tools - git and mercurial

One of the main goals for this research was to explore how it is possible to execute arbitrary commands even when using a safe API that prevents command injection. The focus will be on Version Control System (VCS) tools like git and hg (mercurial), that, among some of their options, allow the execution of arbitrary commands (under some circumstances). The targets for this research are web applications and library projects (written in any programming language) that call these commands using a safe API.

How open source C++ code can introduce security risks

Open source libraries and frameworks are a great way to jump-start development projects. Open source empowers developers to do some great things without reinventing the wheel and developing solutions for problems that have already been solved. However, adding any code to a project carries an inherent risk of introducing potential vulnerabilities that may have made their way into it through error or malice.

The dangers of assert in Python

There are many ways to find bugs in Python code: the built-in debugger (pdb), a healthy amount of unit tests, a debugger in an IDE like Pycharm or Visual Studio, try/catch statements, if/else statements, assert statements, or the tried and true practice of covering every inch of your codebase in print() statements like it’s going out of style. Assert statements can help us catch bugs quickly and are far less intrusive than copious amounts of print statements.

Signing Kubernetes with Sigstore

Adolfo García Veytia, Staff Software Engineer at ChainGuard and Tech Lead on the Kubernetes SIG-Release team, joins Eric and Kyle to talk about how they were able to tackle signing all of the Kubernetes v1.24 image artifacts using Sigstore. Then we will demonstrate signing an image and vulnerability scan result attestations with Sigstore's cosign utility.

Ruby gem installations can expose you to lockfile injection attacks

In this post, we’ll look at the security blindspots of lockfile injection that a Ruby gem might expose via its Gemfile.lock. As a prelude to that, we will open up with a brief introduction to Ruby and third-party dependencies management around RubyGems and Bundler. Web developers often work on Ruby projects, but are mostly referring to them as the popular open source web application framework Ruby on Rails.

Snyk finds PyPi malware that steals Discord and Roblox credential and payment info

Snyk security researchers continually monitor open source ecosystems for malicious packages, utilizing static analysis techniques to identify and flag suspicious packages. Each malicious package is identified upon publication to the package manager and swiftly added to the Snyk Vulnerability Database. During recent research, the team found 12 unique pieces of malware belonging to the same actor.

Top 5 C++ security risks

C++ offers many powerful capabilities to developers, which is why it’s used in many industries and many core systems. But unlike some higher-level languages that offer less direct control over resources, C++ has a variety of security concerns that developers must be keenly aware of when writing code to avoid introducing vulnerabilities into projects. As developers, we build applications with our end-users in mind. They trust us with their data, time, and device access.

Installing multiple Snyk Kubernetes controllers into a single Kubernetes cluster

Kubernetes provides an interface to run distributed systems smoothly. It takes care of scaling and failover for your applications, provides deployment patterns, and more. Regarding security, it’s the teams deploying workloads onto the Kubernetes cluster that have to consider which workloads they want to monitor for their application security requirements.

Untangle the Secrets of your JavaScript Dependencies

In an ecosystem with an increasing number of dependencies, maintainers and supply chain attacks, discover an open source tool designed to analyze in depth the dependencies of a given remote package or local manifest. Not knowing what’s in the node_modules directory is a bad dream from the past. Dive in with me to find out the secrets that your dependencies hide from you.

Introducing Snyk Training, our online learning platform

Snyk has officially launched Snyk Training, a free online resource to help developers and security teams learn how to implement, configure, and use Snyk on their own. The initial content in Snyk Training focuses on three learning needs: The platform is an easy way for teams to get an introduction to Snyk tools and user best practices. Most courses take between 3 and 10 minutes, and have been described by a customer as, a “very good overview on how to get started with the Snyk journey!”

Controlling your server with a reverse shell attack

Creating and running an application in your favorite language is usually pretty simple. After you create your application, deploying it and showing it to the world is also quite straightforward. The last thing you need is someone to take over your system and fully control your brand new application. In this article, I’ll explain how this can happen with a reverse shell attack. Note that the code examples in this article are for educational purposes only.

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome, you're a cloud native application developer! As developers, our responsibility broadened, and more software means more software security concerns for us to address.

Introducing Snyk Auto-Issues for Jira: a new open source application for automated issue creation

One of the things I’ve grown accustomed to as a developer is fiddling around with new languages or frameworks I find interesting. So naturally, working with our partners to launch Snyk Apps is right in my wheelhouse. At work and on my own time, I enjoy trying to build something that others might find interesting or useful. As a Jira user myself, I decided to take a look at Atlassian’s Forge platform and see what I could do with it.

AWS re:Inforce 2022 recap

If you’re looking to catch up on what happened at this years AWS re:Inforce, this is the blog for you. There were many important announcements were this year, including some exciting updates on the cloud security front. In this post, we’ll quickly review the goals of the conference and who should attend, before diving into the keynote highlights, software updates, and helpful resources.

Securing PHP containers

According to Wappalyzer, PHP powers over twelve million websites. Not bad for a 28-year-old language! Despite its age, PHP has kept up with modern development practices. With support for type declarations and excellent frameworks like Laravel and Symfony, PHP is still a great way to develop web apps. PHP works well in containerized environments. With an official image available on Docker Hub, developers know they can access well-tested PHP container images to build on.

A definitive guide to Ruby gems dependency management

Ruby, much like other programming languages, has an entire ecosystem of third-party open source libraries which it refers to as gems, or sometimes Ruby gems. These gems are authored by the community, and are available from RubyGems.org which is the official registry for Ruby libraries. Similarly to other open source ecosystems, threat actors may publish deliberate malicious code or such which includes backdoors or credentials harvesting.

Testing effectively in Terraform

Terraform is an infrastructure as code (IaC) solution that enables DevOps teams to use coding concepts to automatically deploy on-premise or public cloud infrastructure components. These components may include virtual machines, network components, storage, applications, or database services. Terraform provides HashiCorp Language (HCL).