On Oct 25, 2022 The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release should go live on Tuesday, November 1, 2022 between 1300 and 1700 UTC. Snyk has published a placeholder advisory with the current known details, and will update the advisory when official vulnerability details are publicized. The last critical vulnerability in OpenSSL was released in 2016.

In 2022, AWS (Amazon Web Services) remains one of the dominant cloud platforms and continues to be recognized as a leader in Cloud Infrastructure and Platform Services. AWS accounts for 34% of the cloud infrastructure service providers, so many organizations today have either all, most, or at least some of their infrastructure on AWS.

When building applications in Java, we highly depend on external libraries and frameworks. And each Java package that is imported likely also depends on more libraries. This means that the amount of Java packages included in your application is often not really transparent. As a developer, these nested (transitive) dependencies create the problem that you probably do not know all the libraries you are actually using.

Fuzzing is a software security testing technique that automatically provides invalid and random input to an application to expose bugs. The goal of fuzzing is to stress the application to cause unexpected behavior, crashes, or resource leaks. It allows us, as developers, to understand the behavior and vulnerability of applications more comprehensively. We use fuzzing tools, referred to as fuzzers, to perform this kind of testing.

Testing code is the first step to making it secure. One of the best ways to do this is to use unit tests, ensuring that each of the smaller functions within an app behave as they should — especially when the app receives edge-case or invalid inputs, or inputs that are potentially harmful.

The Domain Name System (DNS) translates domain names into IP addresses. Every device and website has an IP address that other devices, websites, and online services use to communicate with it. IP addresses are a string of numbers usually formatted as 000.000.000.000. However, we use domain names since people can’t easily remember these numbers.

Snyk is excited to announce a new, native integration with Atlassian Bitbucket Cloud. This new release improves Snyk’s functionality within Bitbucket Cloud, making installation faster, and easier to implement. Our Bitbucket integration is the first out-of-the-box embedded security experience within the Atlassian UI, enabling users to access high vulnerability counts and rich contextual information right from their native Bitbucket workflow.

Node.js provides a single-threaded JavaScript run-time surface that prevents code from running multiple operations in parallel. If your application typically employs synchronous execution, you may encounter blocks during long-running operations. However, Node.js itself is a multi-threaded application. This is evident when you use one of the standard library’s asynchronous methods to perform I/O operations, such as reading a file or making a network request.

Security and observability data go hand in hand when it comes to application health. If you can put those two sources of data behind a single pane of glass you can make your life a lot easier. By leveraging the different options that the Snyk platform provides, you can send all your application security vulnerabilities found by Snyk directly to your New Relic observability platform. Let’s see how!

In our previous blog breaking down The 5 Fundamentals of Cloud Security, we looked at the value of prevention and secure design. Mapping resource relationships and enforcing security guardrails throughout development helps greatly reduce an available attack surface. But who will enforce these guardrails when your security team is busy with other work? This should be where developers are able to step in. So let’s look at another vital element in cloud security: empowering developers.

Developing and testing a frontend feature can be difficult, especially when the backend it depends on is not ready. This dependency on a backend API often slows down the development process. In scenarios like this, developing a mock API can save you a lot of time by allowing you to develop your feature independent of the backend, and make it easier to test and identify scenarios where your API might fail before it is ready.

Categorizing the challenges and duties of your trusted friend, the site reliability engineer (SRE). From Snyk Ambassador Keith McDuffee, DevSecOps and founder of StackRef.com. “What’s the difference between a DevOps engineer and a site reliability engineer?” It’s a question I hear all the time — and one I’ve heard (and sometimes asked) in job interviews. But is there a correct answer? It all depends on who you ask.

Developer-centric security movements have dominated discussions in software development over recent years. The concepts are clear — integrate security early and find issues faster. But how does an organization measure the success of its developer security program?

First things first, let’s be clear that this is NOT a new Log4Shell or Spring4Shell vulnerability. Although it is a remote code execution issue, the impact is neither as severe nor as easily exploitable as the issue in Log4j from December 2021. Similar to the Log4j issue, the essence of the problem is that you can perform a lookup that can then be misused. However, the Log4shell vulnerability was very easy to exploit — which is not necessarily the case this time.

As a developer, you probably rely on open source every day. Open source code is incredibly beneficial for building and improving products, whether personal or professional. But have you considered going a step further and contributing to open source projects as well? Taking this approach can improve your skills and make a positive impact on the software development community at large. Yet, taking the leap can seem difficult. Where do you start?

When developers need to handle URLs in different forms for different purposes — such as browser history navigation, anchored targets, query parameters, and so on — we often turn to Java. However, its frequent use motivates attackers to exploit its vulnerabilities. This risk of exploitation is why we must implement URL validation in our JavaScript applications.

Nowadays, we do virtually everything online: book flights, pay for goods, transfer bank funds, message friends, store documents, and so on. Many things we do require giving out sensitive information like our credit card details and banking information. If a website uses an unsecured network, a malicious hacker can easily steal user information. This is why encryption is so important.

If you’re like me, you really appreciate a test automation step as part of your pull request (PR) CI for that added confidence before merging code. I want to show you how to add Playwright tests to your PRs and how to tie it all together with a GitHub Actions CI workflow.

Snyk Code supports various languages important in the cloud native arena, Ruby being among them (and we’ve seen great adoption, so thank you!). Our researchers are constantly monitoring our rule sets, using our training set of open source projects, but also — and, yes this is an advantage of a SaaS service — how the rules do on the code that is scanned. Just as a reminder, Snyk does not use your code to train our sets — but we do aggregate usage statistics.

In our previous blog breaking down The 5 Fundamentals of Cloud Security, we discussed the importance of knowing your environment. Teams need to have a comprehensive inventory of their cloud environments to have a clear understanding of the security risks that might exist within. With that in mind, let’s explore the importance of vulnerability prevention and secure design working together to keep threat actors from gaining meaningful access to your organization’s cloud control plane.

GitOps is a popular framework for managing and securing the application development pipeline. For many who have embarked on a GitOps journey, a common question is: “how can I secure my pipeline when everything is automated?” The GitOps framework is a concept where any code commits or changes are done through Git, which then triggers an automated pipeline that builds and deploys applications on Kubernetes.

Python is a growing language. As it evolves and expands, so do the number of tools and development strategies available for working with it. One process that’s become increasingly popular is linting — or checking code for potential problems. With linting, errors in our code will be flagged so we can correct unusual programming practices that might result in problems. Linting is performed while the source code is written and before it’s compiled.

Data Transfer Objects (DTOs) in Java are objects that transport data between subsystems. It is an enterprise design pattern to aggregate data. The main purpose is to reduce the number of system calls needed between the subsystems, reducing the amount of overhead created. In this article, I will explain how DTOs are used in modern Java applications, ways your application can benefit, and how Java DTOs can help you be more secure by preventing accidental data leaks.

In a previous article, I wrote about how — and why — you might want to use the Google Open Source group’s Jib tool to build your Java application container images. Jib builds slim, JVM-based, OCI-compliant images that follow best practice guidelines without the need for a container runtime like Docker, and it removes the need to write and manage Dockerfiles. What if you are building Go applications, though?

Security has been a concern in the tech industry for years now. However, not a lot of companies follow their own protocols or guides when it comes to securing code. It’s easy to believe that security incidents are uncommon (or unlikely to happen in your own organization), but the latest issue with Uber is one of many examples to the contrary.

Red teams, blue teams, and purple teams, oh my! Many of us have heard these terms, but what exactly do they mean? And where does our individual interest and expertise place us? There are many niche roles within security, but this post will cover the basics of red, blue, and purple teams, and explain how they work together to enhance an organization’s security posture.

140,000 Social Security numbers and about 80,000 bank account numbers — that’s what one attacker stole from a major financial institution back in 2019. How did it happen? The attacker used firewall credentials to obtain privilege escalation and hack into improperly secured Amazon cloud instances.

This week, at HashiConf 2022, Snyk was recognized by HashiCorp as the winner of the 2022 Collaboration Technology Partner of the Year award. Carey Stanton, Snyk’s Senior Vice President of Business Development, was in Los Angeles and accepted the award on stage at HashiConf. Snyk is honored to be named HashiCorp’s 2022 Technology Partner of the Year for Collaboration.

Today we’re announcing support for SPNEGO-based Kerberos and NTLM proxy authentication protocol support in Snyk CLI for Windows, with support for other operating systems coming shortly.

Snyk, the leader in developer security, is excited to share that we’ve been named a Customers’ Choice in the 2022 Gartner Peer Insights ‘Voice of the Customer’: Application Security Testing. Gartner defines the Application Security Testing category as products and services designed to analyze and test applications for security vulnerabilities. This distinction is based on meeting or exceeding overall rating, user interest, and adoption.

Snyk Security Researchers have been using dynamic analysis techniques to unravel the behaviors of obfuscated malicious packages. A recent interesting finding in the Python Package Index (PyPi) attempted to imitate a known open source developer through identity spoofing. Upon further analysis, the team uncovered that the package, raw-tool, was attempting to hide malicious behavior using base64 encoding, reaching out to malicious servers, and executing obfuscated code.