August 2018 Summaries
3 posts from Snyk
Filter
Month:
Year:
Post Summaries
Back to Blog
Our Slack integration has undergone changes to provide more actionable and aggregated notifications, reducing repetition and making it easier for users to scan and address security vulnerabilities. The new setup combines multiple projects with the same vulnerability into one notification, providing a clearer remediation action and less noise. After beta testing with customers, the updated notifications have been rolled out to all users, aiming to improve user experience while ensuring timely information about security issues is still provided.
Aug 23, 2018
301 words in the original blog post.
This cheatsheet provides best practices for improving Spring Boot security, focusing on a broader topic beyond just authentication and authorization. It covers key areas such as using HTTPS in production, testing dependencies for vulnerabilities, enabling CSRF protection, using content security policy for XSS protection, OpenID Connect for authentication, password hashing, using the latest releases, storing secrets securely, pen testing your app, and having your security team do a code review. The cheatsheet aims to help developers and maintainers improve their Spring Boot applications' overall security posture.
Aug 16, 2018
1,888 words in the original blog post.
A vulnerability has been discovered in five popular Node.js email parsers that allows for a denial of service (DoS) attack by sending an email with millions of empty attachments, which bypasses typical size limits and freezes the Node.js event loop due to excessive memory usage. This issue affects libraries such as mailparser and Haraka, both widely used in various projects, and can crash servers with out-of-memory errors. The vulnerability is easy to exploit but can be mitigated by implementing a simple check to limit the number of attachments. Despite the simplicity of the fix, it raises questions about oversight in software design, where performance and security considerations are often overlooked. This discovery was part of a broader effort to enhance email parsing efficiency and security, illustrating the importance of performance testing and the need for proactive vulnerability assessments. The vulnerability disclosure followed a timeline, with fixes and public announcements coordinated by security researchers and developers, although some parsers remain without a solution.
Aug 01, 2018
1,911 words in the original blog post.