April 2019 Summaries
9 posts from Snyk
Filter
Month:
Year:
Post Summaries
Back to Blog
Snyk is expanding its Container Vulnerability Management offering to integrate with popular container image registries, allowing developers to scan and monitor their registry images for vulnerabilities directly from within the registry. The new integration with Docker Hub marks the first of several upcoming integrations, including Azure Container Registry, Amazon Elastic Container Registry, Google Container Registry, and Jfrog Artifactory. With this expansion, Snyk aims to empower developers to implement container security seamlessly, providing test, monitor, and fix capabilities for vulnerable images, as well as actionable remediation advice when vulnerabilities are found.
Apr 30, 2019
465 words in the original blog post.
Docker Hub has suffered a significant security breach affecting approximately 190,000 users, exposing sensitive information such as usernames and hashed passwords. The breach may have compromised Docker images used by developers, potentially allowing unauthorized access to repositories and publishing changes to the images. To protect themselves, users are advised to reset their account passwords and tokens, revoke existing tokens, and consider using a security solution like Snyk to scan for vulnerabilities in their Docker images. Developers should also take proactive steps to secure their container images and Kubernetes workloads by integrating security solutions into their development process.
Apr 29, 2019
717 words in the original blog post.
The npm registry, one of the largest open-source package repositories, has over 960,000 packages with more than 250,000 added in 2018 alone. However, few developers know how many packages are connected to each other or what percentage have no dependencies or dependents. Research by K. Vaidya et al. found that only 28% of npm packages have no dependencies or dependents, contradicting the perception of a convoluted web of package connections. The study also found that the average depth of a package dependency chain on npm is around 4.39 packages deep, and that 61% of packages on npm did not publish a release in the last 12 months, indicating potential "abandoned" packages. Despite these findings, cumulative download counts approach billions for many abandoned packages. The study concludes by recommending improvements to package repositories and package managers to address security concerns, such as alerting users about typosquatting attacks.
Apr 22, 2019
944 words in the original blog post.
The majority of developers believe that they should own the security responsibility for their applications, and a significant portion also believe that this responsibility falls on the developers. However, only 19% of developers test their Docker images during development for vulnerabilities in the Operating System layer, leaving over 80% without proper testing. This lack of testing can lead to costly discoveries of vulnerabilities later on, as it often takes an average of 2.5 years to discover and report a vulnerability. To mitigate this risk, organizations should consider partnering with trusted vendors to manage some of the security risks associated with their base images, and developers should use scanning tools to catch vulnerable images throughout the development cycle.
Apr 17, 2019
654 words in the original blog post.
Take actions to improve security in your Docker images, the top two most popular Docker base images each have over 500 vulnerabilities. Choosing the right base image is crucial as it can make a significant difference in reducing the attack surface of an image. Using tools like Buildah and Alpine Linux can help trim down the number of vulnerabilities by creating minimal production images with only the packages required to run your application. Multi-stage builds are also recommended, which allow you to selectively copy artifacts from one image to another, reducing complexity and the risk of implementing vulnerable artifacts. Rebuilding images regularly is essential, especially after a vulnerability has been patched, and using automated scanning tools like Snyk can help identify vulnerabilities before they reach production. Scanning Docker images during development and production is also crucial to catch vulnerabilities early on and prevent them from reaching production environments.
Apr 17, 2019
1,686 words in the original blog post.
Docker security has become a significant concern as the platform's widespread adoption has led to a proliferation of vulnerabilities across its top images. The majority of the most popular Docker base images contain over 500 vulnerabilities, with some having as many as 160 known vulnerabilities. Despite this, there is a lack of clear ownership for Docker security, with developers and operations teams often sharing responsibility. To improve security, it's recommended to choose the right Docker base image, use multi-stage builds, re-build Docker images regularly, scan them frequently, and leverage proactive remediation tools such as Snyk. By taking these steps, developers can reduce the risk of security vulnerabilities in their containers and protect their applications from potential threats.
Apr 17, 2019
924 words in the original blog post.
Snyk has enhanced its publicly available vulnerability database with additional features, including a version table that lists vulnerabilities for each package, helpful tags to identify latest versions, deprecated versions, and prerelease versions, license information, and deprecation warnings. The updated database also provides detailed CVSS score breakdowns for vulnerabilities across all supported package managers.
Apr 08, 2019
511 words in the original blog post.
Snyk is partnering with Atlassian to provide native testing and fixing of open source dependencies for Bitbucket Cloud, allowing developers to take ownership of securing their projects. Snyk detects vulnerabilities in repositories by scanning existing code, displays enriched content about the vulnerability, and accelerates triaging. The platform also ensures pull requests do not introduce new vulnerabilities, provides triaging analysis and automated fixes, and monitors repositories daily for newly disclosed vulnerabilities. With this integration, developers can secure their entire workflow end-to-end, integrating with Bitbucket Server and Cloud, gating vulnerabilities during build, fixing application and Docker image vulnerabilities, and monitoring after deployment. The solution is now available to start using, with resources available on the Snyk website and at the upcoming Atlassian summit.
Apr 04, 2019
460 words in the original blog post.
The popular Ruby gem `bootstrap-sass` has a malicious remote code execution backdoor that was discovered and removed from the official RubyGems repository. The vulnerability allows attackers to execute dynamic code on servers hosting vulnerable versions of the gem, which has been downloaded over 28 million times. A malicious version of the gem, version 3.2.0.3, was published to the repository with a hidden backdoor that taps into another Ruby module and modifies it to allow remote code execution. The maintainers of the `bootstrap-sass` project have released a new version, 3.2.0.4, which fixes the vulnerability without requiring major version upgrades. Users are advised to replace the vulnerable version with the safe one immediately and connect their repositories with Snyk to monitor for malicious activity in the future.
Apr 04, 2019
1,109 words in the original blog post.