Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

December 2022

You should be using HTTP Strict Transport Security (HSTS) headers in your Node.js server

For most websites and apps, employing security-related HTTP headers has become standard practice. Websites use headers as part of HTTP requests and replies to convey information about a page or data sent via the HTTP protocol. They might include a Content-Encoding header to indicate that the content is a compressed zip file or a Location header to specify a redirect URL.

How to build a secure API gateway in Node.js

Microservices offer significant advantages compared to monoliths. You can scale the development more easily and have precise control over scaling infrastructure. Additionally, the ability to make many minor updates and incremental rollouts significantly reduces the time to market. Despite these benefits, microservices architecture presents a problem — the inability to access its services externally. Fortunately, an API gateway can resolve this issue.

5 "no experience needed" tips for building secure applications

Most developers aren’t security experts. This isn’t because we don’t care about security, it’s just that there are only so many hours in the day and features come first. Fortunately, developers don’t need to be security experts to build secure apps — they just need the right tools.

Kubernetes network policy best practices

Controlling and filtering traffic when containerizing a workload within Kubernetes Pods is just as crucial as a firewall in a more traditional network setup. The difference is that, in this scenario, those capabilities are provided by the Kubernetes NetworkPolicy API. This article will explore Kubernetes NetworkPolicy by creating an example network policy and examining its core parameters. Then, we’ll look at some common NetworkPolicy use cases and learn how to monitor them using kubectl.

Building an application security battle plan: Home Alone edition

The holiday season is the perfect time to rewatch some favorite festive movies! While some prefer their holiday movies to be as sappy as possible (Hallmark, we’re looking at you), others relish the annual opportunity to watch an 8-year-old boy exact his revenge on two bumbling bad guys in the 1990 classic Home Alone.

Panel recap: Breaking Bad Security Habits with Corey Quinn

On December 8th, Clinton Herget and Simon Maple, Field CTOs at Snyk, had the opportunity to chat with Corey Quinn, Chief Cloud Economist at The Duckbill Group, podcast host, curator of “Last Week in AWS”, and snarky Twitter personality. Their conversation took a lot of fun turns, from ranting about the hour-long line to get coffee at AWS re:Invent, to Corey proclaiming that “SBOMs are a fantasy” (there’s more context to that… keep reading).

Snyk in 30: Open source security for Atlassian Bitbucket Cloud

In our latest Snyk in 30, Jason Lane (Director of Product Marketing) and I (Marco Morales, Partner Solutions Architect) showcased Snyk Open Source with a focus on our integration with Bitbucket Cloud. They covered why open source security is vital for modern app development, along with tips on taking a holistic approach to application security that goes beyond just shifting left.

Exploring the Spring Security authorization bypass (CVE-2022-31692)

In early November, a new authorization bypass vulnerability was found in Spring Security 5. Now, before we panic let’s look into this problem to see if you are vulnerable. Although the vulnerability is classified as high, there is only a specific set of use cases that are vulnerable. This means that not everyone is vulnerable, and I will show that in a second. Regardless, the advice is to upgrade to the newer version of the Spring Security.

Top takeaways from re:Invent 2022

Live conferences are finally back, and the 11th annual AWS re:Invent did not disappoint. After a virtual 2020 and an in-person reduced-sized edition in 2021, there were more than 52,000 (yes — 52,000!) smiling faces milling about this year’s conference in Las Vegas. As per usual, re:Invent was full of exciting product news and updates. Here are the major announcements that got our attention and some of the things Snyk was up to in Vegas.

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.

Azure Bicep security fundamentals

Azure Bicep is getting more popular by the day and is rapidly becoming the replacement for Azure Resource Manager (ARM) templates. In this post, I am going to go over some security fundamentals when using Bicep. If you are not familiar with Bicep then I recommend taking a look at the Microsoft Learn documentation to find out more.

Unsafe deserialization vulnerability in SnakeYaml (CVE-2022-1471)

SnakeYaml is a well-known YAML 1.1 parser and emitter for Java. Recently, a vulnerability — CVE-2022-1471 — was reported for this package. This vulnerability can lead to arbitrary code execution. The org.yaml:snakeyaml package is widely used in the Java ecosystem, in part because it is packaged by default with Spring Boot in the spring-boot-starter.

AWS re:Invent 2022: How Neiman Marcus transitioned to developer-first security

At this year’s AWS re:Invent conference, Snyk’s VP of Product Marketing, Ravi Maira, spoke with Omar Peerzada, Cyber Security Architect at Neiman Marcus, about how his team transitioned from older security practices to a developer-first security strategy. Watch the full talk now, or keep reading for the highlights.

Customer Office Hours: CI/CD Best Practices

Learn tips and tricks on how to implement, troubleshoot and scale deployments. For example, should you scan in the CICD or in SCM? What implementation methods should you use - plugin, npm, binary…? We will cover this and more. Host: Sebastian Roth, Senior Solutions Engineer Seb brings his expertise as a Principal Software Engineer & Team Lead for over 17 years into the DevSecOps community, where he now focuses on process improvements and shares best-practices to improve security posture.

How to handle Node.js file uploads with Fastify

File uploading is a commonly needed functionality in web applications. Because of this, many web frameworks provide ways to allow server-side applications to accept files and work with them. This is the same with Fastify, which is a Node.js web framework that is often regarded as a successor to Express. It’s fast and highly focused on providing the best developer experience with a powerful plugin architecture and the least overhead possible.

Using Snyk reporting for data-driven security

Last month, we announced the open beta of Snyk’s new and revamped reporting. Since then, we’ve been amazed at how creative our customers have been in leveraging these new capabilities to answer all sorts of different security questions. We’re not surprised. The new reporting was designed to provide easy access to data across the Snyk platform (including Snyk Code!), and to give customers flexible analysis tools to slice and dice data as they see fit.

How to Sign Kubernetes using Sigstore

In this livestream we are joined by Adolfo Veytia, Staff Software Engineer at ChainGuard and Tech Lead on the Kubernetes SIG-Release team, as we talk about they were able to tackle signing all of the Kubernetes v1.24 image artifact using Sigstore. We then demonstrate signing an image and vulnerability scan result attestations with Sigstore's cosign utility. Didn't catch the live stream? Ask all of your Snyk questions and we’ll do our very best to answer them in the comment section.

5 best practices for React with TypeScript security

As a library focused on building user interfaces rather than a full-fledged framework, React enables developers to choose their preferred libraries for various aspects of an application, such as routing, history, and authentication. Comparatively, Microsoft created TypeScript as an extension of JavaScript to introduce optional static typing to an otherwise loosely typed language.

Why tool consolidation matters for developer security

With threats to cloud native applications rising, security leaders feel more pressure than ever to counter an ever-changing risk landscape. But thanks to a rapidly expanding security solutions market, many respond to these growing demands by adding more products. With so many new tools arising to tackle security challenges, it sometimes seems like the right answer is always “one tool out of reach”.

How to verify and secure your Mastodon account

Mastodon, the free open source self-hosted federated social network platform, has been witnessing a surge of interest and new users due to the recent developments on Twitter — specifically that of verifying accounts. One of the interest areas driving users to Mastodon has been the ability to verify their account identity and convey a sense of authenticity for the account. This provides a way to help prevent spam accounts, bots, and other issues related to fake news.

3 tips for effective developer security training

“This is the golden era of application security,” says Founder of Manicode Security and secure coding trainer Jim Manico on episode 26 of The Secure Developer podcast. Ten years ago, Manico says, security training was “a quirky thing to do — something to do on the side.” Now, assessment tools are mature, good literature on assessment makes knowledge more accessible, and a wide range of intelligent people are building secure applications.