May 2019 Summaries
14 posts from Snyk
Filter
Month:
Year:
Post Summaries
Back to Blog
10 Serverless security best practices` are outlined in a cheat sheet series, covering various aspects of securing serverless deployments. The key points include patching function dependencies, adopting the principle of least privilege, maintaining isolated function perimeters, sanitizing event input to avoid injection attacks, employing API gateways as a security buffer, monitoring and logging functions, following secure coding conventions for application code, securing and verifying data in transit, managing secrets in secure storage, and deploying functions in minimal granularity. These best practices aim to reduce the attack surface of serverless applications and prevent common security vulnerabilities.
May 31, 2019
3,289 words in the original blog post.
Snyk was recognized as a 'Next European Unicorn' at the 2019 Vivatech Awards for its innovative approach to securing software development life cycles, rapid growth, and commitment to supporting the open source community in the B2B for Enterprise category. The company's focus on open source and software security is poised to disrupt the industry by tackling a growing problem in the Digital Age. Snyk's developer-focused approach offers powerful solutions, as evidenced by its great traction, and this award emphasizes its focus on being a key security partner to large organizations who depend on open source.
May 22, 2019
422 words in the original blog post.
Snyk is a platform that aims to help developers use open source securely, and has introduced a new initiative called Dependency Health to assess package risk with its Snyk tool. The new feature provides information on the maturity, activity, and outdatedness of packages, helping developers identify potential risks associated with their dependencies. This includes indicators for deprecated packages, as well as data on the latest version available and the delta between installed versions and the most recent ones. The goal is to provide a broader context for evaluating package quality, rather than relying solely on one metric, and plans to expand this feature with additional data points and categories in the coming months.
May 16, 2019
832 words in the original blog post.
CVSS (Common Vulnerability Scoring System) is a standard measurement system used to assess and prioritize the severity of security vulnerabilities in software components. It provides a framework for evaluating the impact and risk of vulnerabilities, allowing organizations to understand and manage their vulnerability management more effectively. The CVSS scoring system takes into account various factors such as exploitability, impact, and temporal context to provide a comprehensive score range of 0-10 that maps to severity levels. However, challenges with CVSS include missing applicability context, incorrect scoring, and the lack of consideration for material consequences or specific implications in certain industries. To address these challenges, Snyk uses CVSS v3.1 as part of its security research efforts, providing a more accurate and consistent vulnerability impact score to balance out inaccuracies made by other authorities that issue CVEs. The CVSS scoring system is comprised of three groups: base metrics (exploitability and impact), temporal metrics (context related to timing and exploitation), and environmental metrics (customizing the score to the user's or organization's specific environment). Understanding how these groups work together provides a more accurate assessment of security vulnerabilities, enabling organizations to prioritize remediation activities and calculate severity scores.
May 16, 2019
2,268 words in the original blog post.
Amazon S3 is an object storage service offered by AWS that requires proper configuration and security measures to prevent data breaches and compliance incidents. Misconfigured access policies, encryption settings, and lack of auditing can lead to sensitive data exposure. Compliance frameworks such as HIPAA, PCI, SOC 2, GDPR, and NIST 800-53 govern S3 usage and require regular audits to ensure configuration complies with policy. Conducting an audit of S3 resources, tracking changes using CloudTrail, and implementing encryption are essential measures to protect sensitive data. Regularly certifying that S3 configurations comply with policy, identifying and remediating misconfiguration events, and reporting on security incidents are also crucial tasks. Automating these processes can help prevent future breaches and ensure compliance. Tools like Fugue provide self-healing cloud infrastructure and automated remediation capabilities to support these efforts.
May 10, 2019
1,606 words in the original blog post.
Provide granular permissions and groups for users in Azure Repos` highlights the importance of following the rule of least privilege by ensuring contributors exist in the correct groups and have necessary permissions to work, while restricting administrative actions whenever possible. The goal is to restrict access to sensitive areas of the repository. Monitoring changes in contributor requirements as they leave or step back from a project is also crucial. By implementing these best practices, users can ensure secure decisions are made for their Azure Repos projects.
May 06, 2019
131 words in the original blog post.
The Axios JavaScript package, a popular HTTP client used for browser and Node.js server projects, has been found to have a Denial of Service (DoS) vulnerability affecting all versions up to 0.19.0, which can cause increased I/O and CPU usage, potentially leading to disastrous effects on single-threaded servers or end-users in browser environments. A fix was released in version 0.19.0 and is available for users who apply the security patch for versions >= 0.17.0 of axios. The vulnerability was discovered as early as 2017 by developer Jeremy Apthorp, but no official fix was published until recently. Snyk identified the vulnerability in over 215,000 projects scanned and alerted relevant users to take action, emphasizing the importance of addressing this issue due to its potential impact on application runtime code flow and security issues. Open source project health is also highlighted, with the axios project receiving contributions from many developers but still facing challenges in maintaining stable releases and bug fixes.
May 06, 2019
749 words in the original blog post.
The text discusses eight Azure Repos security best practices that can be applied by users or contributors to enhance their security. These practices are not only specific to Azure Repos but also useful for other Git and non-Git repositories. The author encourages readers to download the cheat sheet and pin it up as a reference for making secure decisions in the future.
May 06, 2019
92 words in the original blog post.
Adding a SECURITY.md file to your Azure Repos is an important step in maintaining transparency and security for open source projects. By including a SECURITY.md file, project owners and maintainers can provide users with critical information about the project's security practices, disclosure policy, update policy, and related configuration. This helps ensure that users are informed and empowered to secure their environments, while also encouraging responsible disclosure of vulnerabilities and security updates. By doing so, projects can foster a culture of security awareness and collaboration between maintainers and users.
May 06, 2019
718 words in the original blog post.
Removing sensitive data from files and Azure Repos history is crucial for maintaining security, as once secret information becomes public, it can fall into the wrong hands. To recover from a breach, invalidate tokens and passwords that were previously made public, and remove sensitive data from repositories to prevent further exposure. Additionally, consider the repository's full history of commits, which may still contain sensitive data, and take steps to mitigate this risk. Following security best practices is essential for protecting against potential threats and ensuring secure decision-making.
May 06, 2019
199 words in the original blog post.
Tightly control access to your Azure Repos to prevent unauthorized access and maintain the security of your application's source code. This includes mandating that users never share accounts or passwords, securing laptops and devices with access to source code, managing team access to data, revoking access from former employees, and ensuring proper revocation of Azure Repos accounts when users leave the company. By following these best practices, developers can ensure their application's security is robust and up-to-date.
May 06, 2019
328 words in the original blog post.
Never store credentials as code/config in Azure Repos`
There are great tools available to statically analyze commits for sensitive information, such as git-secrets and CredScan, which can reject pushes with passwords or sensitive data and detect credentials introduced into pull requests. Having team-wide rules to prevent storing credentials as code is also effective, while using secure variable storage like Azure KeyVault and regularly auditing repositories with tools like GitRob or truffleHog can help avoid accidentally introducing sensitive information.
May 06, 2019
315 words in the original blog post.
The top ten libraries with high severity vulnerabilities include system.net.http, which has a large number of lifetime downloads but is vulnerable to multiple high-severity vulnerabilities, and Microsoft.AspNetCore.Server.Kestrel.Core, which has four known vulnerabilities including two denial-of-service vulnerabilities. The most recent version of system.net.http has no known vulnerabilities, while the library system.io.pipelines only has one known vulnerability, a denial-of-service vulnerability that can crash a website. These libraries are widely used in .NET projects and can have significant security implications if not properly updated or maintained. Snyk recommends updating to the latest versions of these libraries to mitigate potential security risks.
May 03, 2019
1,550 words in the original blog post.
Snyk has integrated its DevSecOps capabilities with Azure Repos, allowing developers to detect and fix open source vulnerabilities within their projects in a single platform. The integration enables native detection of vulnerabilities, monitoring, and automation of fixes, providing a comprehensive security solution throughout the software development lifecycle. With this integration, Snyk's application and container security suite for Microsoft Azure offers seamless integrations with Azure Pipelines, Azure Container Registry, and Azure Functions, from code release to runtime, ensuring developers can stay secure.
May 01, 2019
440 words in the original blog post.