I conducted some research to try and identify YAML Injection issues in open-source projects using Snyk Code. Though the vulnerability itself is not a new one, the potential impact of YAML Injection is high, which made it a good candidate for research. This research led to the discovery of several issues in open-source projects written in Python, PHP and Ruby. This article focuses on the issue found in geokit-rails version 2.3.2, a plugin for Ruby on Rails
Were you tasked with building a product that requires the execution of dynamic JavaScript originating from end users? You might think building it on-top of Node.js VM module is a viable way to create a JavaScript sandbox. In this article, we’ll learn why that’s far from being a recommended approach and the security implications of doing so. Every now and then there’s a project that challenges the rudimentary and routine backend development. APIs? Message queues?
I was inspired to write this after reading a post from Thomas Depierre on Mastodon. The post touched on something that’s been troubling me recently. When it comes to software security, we spend a lot of time talking about the software supply chain and related concepts, such as the software bill of materials (SBOM). This metaphor comes from an industrial lexicon. People who are used to talking about economies and how manufacturing works are familiar with the idea of supply chain.
Mass assignment, also known as autobinding or object injection, is a category of vulnerabilities that occur when user input is bound to variables or objects within a program. Mass assignment vulnerabilities are often the result of an attacker adding unexpected fields to an object to manipulate the logic of a program.
If I throw a coin high up in the air, I know the outcome — it will either be heads or tails. However, I can’t predict which it will be. I will certainly be able to guess with a 50% chance, but I can’t be 100% certain. If I were to roll a die, my certainty becomes less (1 in 6). However, I still know what the output could be. Computers are great at many things, especially predictability. They are deterministic and creating a truly random number is impossible.
Our long-standing partnership with Atlassian is built on our mutual commitment to providing a great developer experience. It started with our native integration within the Bitbucket Cloud UI, and today we’re incredibly excited to announce yet another new door opening in our partnership. The new Snyk integration for Jira Software will bring security and collaboration to Atlassian users at every stage of the development lifecycle.
Audits are challenging. Especially when it comes to assessing abstract compliance standards against multiple cloud environments, unique cloud infrastructure setups, and many possible (mis)configurations. To help our customers automate compliance assessments, Snyk Cloud now supports 10+ compliance standards— including CIS Benchmarks for AWS, Azure, and Google Cloud, SOC 2, PCI DSS, ISO 27001, HIPAA, and more.
Every day, thousands of developers use the Snyk CLI as part of their development workflow, to identify and resolve security issues in their code as early as possible. What if these developers and other security professionals could harness the power of this dev-first approach and also utilize entirely new security analyses, filters, and workflows via an extensible approach?
Regardless of how last year went, a few things probably come to mind that you’d like to leave in 2022. Maybe it’s a bad habit you’d like to drop or a mindset you’d like to change. But speaking of ditching bad habits, some poor cloud application security practices shouldn’t carry over to 2023 either!
