Our modern digital world has proven that global tensions between countries are not contained to the battlefield. As international cyberattacks and protestware proliferate, the Biden-Harris administration (White House) instructed US institutions, large and small, to be more vigilant about malicious cyber activity.
As developers, we need maximum visibility of what’s actually running in our cloud environments, in order to keep them secure. Infrastructure as code (IaC) helps developers automate their cloud infrastructures, so what’s deployed to the cloud is under control and can easily be audited. But achieving and maintaining 100% IaC coverage of your infrastructure has many challenges.
Containerization describes the creation of a self-contained computing environment that runs on a host machine and any operating system (OS) with an available container runtime engine. Built from an image, a container holds an app and the filesystem alongside configurations, dependencies, binaries, and other specifications needed to run it successfully. Containers are typically much smaller than virtual machines and run in the host’s OS rather than containing OSs themselves.
A few days ago, Snyk reported on a new type of threat vector in the open source community: protestware. The advisory was about a transitive vulnerability — peacenotwar — in node-ipc that impacted the supply chain of a great deal of developers. Snyk uses various intel threat feeds and algorithms to monitor chatter on potential threats to open source, and we believe this may just be the tip of a protestware iceberg.
Recently, researchers from Positive Security published findings identifying a major remote code execution (RCE) vulnerability in dompdf, a popular PDF generation library. In their reporting, they outlined a way that code could be loaded into an application and then remotely executed during a PDF being generated. Dompdf is used quite extensively within the PHP ecosystem, and is used within over 59,000 open sourced platforms and projects.
There are multiple types of encryption and most ecosystems and languages come with many libraries to help you encrypt the data. The question nowadays is, what type of encryption should I pick for the problem. This article will focus on encrypting passwords for Java applications specifically. While we can apply the main principles to any ecosystem, we will explore examples and libraries in Java that are useful for your daily job.
Today we’re pleased to announce an update to our popular Docker and Snyk vulnerability cheat sheet. Since 2020, millions of MacOS and Windows developers have been able to use docker scan to analyze their containers in their local environments as part of their day-to-day development. This capability gives teams feedback at the time of active development for faster cycles.
On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing what can only be described as a supply chain attack impacting the npm ecosystem. This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package.
