February 2019 Summaries
16 posts from Snyk
Filter
Month:
Year:
Post Summaries
Back to Blog
The Snyk State of Open Source Security report 2019 highlights a significant increase in application library vulnerabilities over two years, with nearly doubling from 43% to 88%. This rise is attributed to the growing number of new packages being indexed in ecosystems such as Maven Central and npm. The report also reveals that 81% of developers believe security should be owned by developers, but they are not well-equipped to handle it. Moreover, open source maintainers want to be secure, but 70% lack the necessary skills. The top ten most popular Docker images each contain at least 30 vulnerabilities, and ReDoS vulnerabilities in npm have spiked by 143%. Furthermore, 78% of vulnerabilities are found in indirect dependencies, making remediation complex.
Feb 26, 2019
1,041 words in the original blog post.
The adoption of application container technology is increasing rapidly, with 78% of vulnerabilities found in indirect dependencies making remediation complex. The top ten most popular Docker images each contain at least 30 publicly known vulnerabilities, including the official Node.js image which ships 580 vulnerable system libraries. Snyk's recently released Docker scanning capabilities have found that 44% of Docker image scans had known vulnerabilities, and for many cases, newer and more secure base images were available. The use of an alias like `node:10` can lead to exposure to multiple vulnerabilities, whereas using a specific version tag like `node:10.8.0-jessie` can help reduce the attack surface by recommending newer images with fewer vulnerabilities. Additionally, there is an increase in ReDoS vulnerabilities in npm and XSS continues to grow, highlighting the need for developers to take security seriously.
Feb 26, 2019
1,133 words in the original blog post.
The State of Open Source Security report 2019 highlights the growing concern of open source vulnerabilities, with 88% increase in application library vulnerabilities over two years and 70% of open source maintainers lacking skills to address security issues. The report also reveals that indirect dependencies account for 78% of overall vulnerabilities, making remediation complex. Additionally, it is found that top ten most popular docker images contain at least 30 vulnerabilities each, while ReDoS vulnerabilities in npm have spiked by 143%. To improve security, both open source maintainers and developers are advised to practice secure code review, regularly audit their code base for vulnerabilities, and implement a shift-left security strategy.
Feb 26, 2019
989 words in the original blog post.
Developers believe they should own security for their applications, but many lack the necessary skills and knowledge to effectively manage security. According to a recent report, 88% of application library vulnerabilities have increased over two years, with 78% found in indirect dependencies, making remediation complex. Top ten popular Docker images contain at least 30 vulnerabilities each. The use of dependency management tools is still relatively low, with only 36% of users actively using such tools to find vulnerabilities. Despite this, many organizations are adopting a DevSecOps approach, integrating security into the entire development lifecycle from design to production.
Feb 26, 2019
923 words in the original blog post.
Open source maintainers face significant security challenges, with many lacking necessary skills and knowledge to ensure their projects are secure. A majority of maintainers (63%) believe they have medium-level security know-how, while only 30% rank themselves as high. However, a significant number (70%) admit to not having strong security knowledge. Many maintainers do not conduct regular security audits, with one in four reporting that they never run an audit. Despite this, there is a positive trend towards repeated auditing actions. Maintainers often find out about vulnerabilities through public channels or by reviewing their own code personally. The average time-to-fix for a vulnerability is around 2.5 years, highlighting the need for more proactive security measures. A responsible disclosure policy can help maintainers respond quickly to security issues and provide a window of time for users to upgrade to fixed versions.
Feb 26, 2019
1,787 words in the original blog post.
The State of Open Source Security report highlights several concerning trends in open source security, including a significant spike in ReDoS vulnerabilities in npm packages by 143% in 2018, and an increase in XSS vulnerabilities across various ecosystems. The report also notes that 78% of vulnerabilities are found in indirect dependencies, making remediation complex. Additionally, it reveals that malicious packages were downloaded over 8 million times in 2018, with sophisticated attacks targeting the npm ecosystem, including typosquatting, compromised maintainer accounts, and socially engineered inclusion of malicious packages. The report emphasizes the need for developers to own security and highlights the importance of skills training for open source maintainers.
Feb 26, 2019
1,235 words in the original blog post.
Your CI/CD environment is secure when it uses a GitOps continuous integration (CI)/continuous delivery (CD) pipeline combined with good security practices, which improves the overall security of your development workflow to Kubernetes. A typical CI/CD pipeline may have direct access to the container image repository and production cluster, violating Open Web Application Security Project (OWASP) principles like Principle of Least Privilege and Separation of Duties. Adopting a GitOps approach addresses these issues by running a reconciliation operator from within the cluster itself, eliminating credential leakage and minimizing privileged access. This reduces security risk and emphasizes the need for good security in your code repository. To further secure your CI/CD pipeline, consider adding security testing to your PRs, statically analyzing your repo with Snyk, never storing credentials as code/config, tightly controlling access, and creating a SECURITY.md file.
Feb 21, 2019
1,426 words in the original blog post.
Snyk's "developer first" approach aims to provide seamless security ownership by developers, integrating with existing tools and workflows to tackle security at various stages, including IDEs, git, build stages, PaaS, project management, and messaging tools. The company's container vulnerability management scans Docker images, inspecting OS packages and key binaries for vulnerabilities, while also providing remediation advice within the tool. This approach aims to minimize false-positives by leveraging a proprietary Vulnerability DB. By automating security checks and fixes, Snyk seeks to balance efficiency and security in DevOps pipelines, particularly when shipping container images to registries.
Feb 21, 2019
665 words in the original blog post.
10 npm Security Best Practices are outlined in this article to help developers minimize the risk of introducing security vulnerabilities into their projects when using npm. By following these best practices, developers can ensure that their packages and dependencies are secure, up-to-date, and free from malicious modules. The article highlights the importance of security auditing, vulnerability scanning, and responsible disclosure of security vulnerabilities, as well as the use of tools like Snyk to streamline security processes. It also provides tips on how to minimize attack surfaces by ignoring run-scripts, using local npm proxies, enabling 2FA, and protecting npm tokens. By adopting these best practices, developers can help prevent security breaches and ensure the integrity of their projects.
Feb 19, 2019
3,184 words in the original blog post.
The Secure Developer community has been launched by Snyk, bringing together security experts to share knowledge on building security into workflows and discussing tools that can help. The community will host live webinars every two weeks, featuring speakers who will share their perspectives on relevant security topics. The aim is to educate and enable software engineers to integrate security into their development practices. The community aims to create a vendor-neutral space to share knowledge and best practices related to software security, focusing on application security in general rather than Snyk specifically. The community will be powered by Snyk, with the goal of growing this resource into a thriving ecosystem of knowledge.
Feb 14, 2019
431 words in the original blog post.
The `runC` binary, used by container engines like Docker and Kubernetes, has a serious security flaw discovered by Adam Iwaniuk and Borys Popławski, which allows containers to break out of their isolated context and gain root-level privileges on the host. This vulnerability is particularly concerning because Docker containers run as privileged containers by default, and the `runC` binary executes every time a container command is instructed, making it easy for malicious containers to alter the binary and execute modified instructions. The issue highlights the importance of following the least privilege principle and applying patches in a responsible manner, especially considering that exploit code will be made public on February 18th to test and verify whether the security vulnerability has been patched successfully.
Feb 13, 2019
932 words in the original blog post.
The author of the text recently started working as a Developer Advocate at Snyk, a company that provides tools for secure open-source project development. The company's All Hands conference brought together employees from different countries and departments to share accomplishments, goals, and challenges. This event helped the author get familiar with the company culture and values, such as being kind, caring deeply, and operating as one team despite geographical distance. The growth of the team is driven by a recent series B fundraise, which will enable ambitious goals like expanding supported ecosystems and investing in innovative projects. The conference also included fun events and activities to foster team building and friendship among employees. The author feels excited about joining the company's Developer Relations team and contributing to community building, security education, and other initiatives.
Feb 12, 2019
1,300 words in the original blog post.
Scanning Docker images for key binaries - going beyond package managers
We've extended our Docker scans to include scanning key binaries that were manually installed on the Docker image, in addition to OS packages installed by package managers such as dpkg, apk or rpm. This new scan ensures protection against vulnerabilities in unmanaged installed binaries, including Node.js and Java Runtime Environment, with more types of binary vulnerabilities to be added soon. The enhanced scan is now available in the latest CLI version, which must be upgraded for use. The Snyk UI will also display key binary vulnerabilities when monitoring a Docker project, allowing easy filtering by type. Automatic reporting of detected vulnerabilities will occur if a supported key binary was installed manually. This new capability enhances our Container Vulnerability Management solution, providing more comprehensive vulnerability data and remediation information.
Feb 07, 2019
312 words in the original blog post.
NumPy arbitrary code execution vulnerability allows for the execution of potentially malicious code due to a flaw in the Python pickle module used by NumPy's load function, which can be exploited without authentication or technical knowledge. The vulnerability is present in versions 1.10 through 1.16 and can be mitigated by setting allow_pickle=False when loading data from untrusted sources. Currently, no known instances of exploitation have been reported, but awareness of the issue is growing, prompting the NumPy team to work on a patch or upgrade.
Feb 05, 2019
394 words in the original blog post.
The Node.js Event-Loop can be blocked by async functions, even with the use of async/await keywords. This happens because the event-loop only checks for pending callbacks in specific phases (timers, pending callbacks, idle, prepare, poll, check, and close). If a callback enqueues another callback that can be handled in the same phase, it will be handled before moving to the next phase. However, if an async function uses promises or timers, it may block the event-loop if not used correctly. The use of `setImmediate()` or `setTimeout()` with a non-zero delay can help partition long-running synchronous code and prevent blocking the event-loop. Nevertheless, there is still an overhead in using these functions, and finding the right balance between blocking and yielding is crucial to avoid performance issues. Additionally, some built-in JavaScript functions like `JSON.parse()` can block the event-loop as well. Understanding the Node.js Event-Loop and its behavior is essential for writing efficient and non-blocking code.
Feb 04, 2019
3,451 words in the original blog post.
Snyk has announced the launch of .NET source code management support for GitHub, Bitbucket, and GitLab. This enables developers to import, scan, and monitor .NET projects directly within these platforms without needing to move away from Snyk. The new feature splits imported projects by target frameworks, creating a dependency tree with direct and transitive dependencies for each supported framework. It tests the project against Snyk's vulnerability database and continues monitoring for newly discovered vulnerabilities related to existing packages. Future plans include remediation functionality, scanning more file types, and adding integrations with Azure Repos.
Feb 04, 2019
448 words in the original blog post.