A few years ago, REI embarked on its digital transformation and cloud migration journey, moving on-prem development environments to AWS. But, as REI’s development teams began this transition, their security counterparts noticed that application security just wasn’t keeping up. As a result, REI began another journey: identifying the right security tooling and cultural shifts for AppSec success.

Did you know that GitHub Copilot may suggest insecure code if your existing codebase contains security issues? On the other hand, if your codebase is already highly secure, Copilot is less likely to generate code with security issues. AI coding assistants can suggest insecure code due to their limited understanding of your specific codebase. They imitate learned patterns or utilize available context without providing judgment.

People, processes, and tooling all impact an organization’s ability to maintain a strong AppSec program. In a recent panel at Black Hat Europe, Snyk spoke with two customers — Jaguar Land Rover (JLR) and Asda — about the unique challenges they face managing development teams, onboarding new security tools, and building a modern DevSecOps program throughout their organizations.

Server-side request forgery (SSRF) is a common vulnerability that can crop up unknowingly in any Node.js application. It poses a significant threat because attackers can manipulate a server into making unintended requests to both internal and external resources. This article will explore SSRF, its potential risks, and the strategies to mitigate SSRF in Node.js applications.

As reliance on software systems continues to grow, so does the emergence of numerous security threats. One notable threat for developers, especially those working with Node.js, is SQL injection. SQL injection is a malicious attack where nefarious SQL code is injected into a system, exposing sensitive information, corrupting or deleting data, and sometimes, granting unauthorized access to attackers.

Adding AI to your software development life cycle (SDLC) comes with great opportunities — and great dangers. Is the risk worth the reward? This was the topic of conversation when Sascha Wiswedel, Senior Solutions Engineer at Atlassian, and Simon Maple, Principal Developer Advocate at Snyk, teamed up to discuss security in the (AI-assisted) software development lifecycle.

For security leaders, building a strong working relationship with your CISO often comes down to your ability to provide clear reports and concise risk summaries. Your reports allow CISOs to perform a vital responsibility of their role: translating highly technical security jargon into actionable recommendations that will reduce risk and improve security maturity across the organization. And in the case of a breach or zero-day event, CISOs may be the bearer of bad news.

At Snyk, we are big fans of Open Policy Agent’s Rego. Snyk IaC is built around a large set of rules written in Rego, and customers can add their own custom rules as well. We recently released a series of improvements to Snyk IaC, and in this blog post, we’re taking a technical dive into a particularly interesting feature — automatic source code locations for rule violations.

The software bill of materials (SBOM) is quickly becoming an essential aspect of open source security and compliance. In this post, we'll delve into what SBOMs are, why they're necessary, and their role in open source security.

The Snyk Security Labs team recently embarked on a research project into the Docker engine. During this project, I had the opportunity to perform what is arguably my favorite kind of research using my favorite selection of tools. The research panned out quite successfully, and we identified four high severity vulnerabilities that allow a malicious attacker to break out of a container environment with a controlled Dockerfile under docker build and, in one case, docker run.