Home / Companies / Snyk / Blog / August 2019

August 2019 Summaries

8 posts from Snyk

Filter
Month: Year:
Post Summaries Back to Blog
The discussion around open source security highlights the significant risk associated with using open source libraries, which can be underestimated by many in the market today. The vast majority of code deployed is not original code but rather open source components, making it a high-risk target for attackers. The industry currently approaches this problem in three ways: some teams take security into consideration when selecting libraries, others invest in finding and fixing vulnerabilities on an ongoing basis, while others don't address the issue at all. DevSecOps is about working together across disciplines to achieve a common goal of functional and secure products, where security professionals set policies, educate developers, and empower them to make security calls. The ultimate goal is to fix vulnerabilities, not just find them, and to maintain momentum by addressing delta changes and preventing new issues from arising. Teams should prioritize stopping the bleeding by addressing current problems first, then prevent and respond to ongoing concerns, and finally find and fix new issues.
Aug 30, 2019 1,493 words in the original blog post.
The jackson-databind library, used for serializing and deserializing Java objects into JSON, has been affected by a high-severity Deserialization of Untrusted Data vulnerability (CVE-2019-14379,CVE-2019-14439) that can lead to remote code execution if not properly secured. The maintainers have released version 2.9.9.3, which fixes the issue. Spring Boot users with versions up to 2.1.7 are vulnerable due to their dependency on the older jackson-databind package. Users can avoid this vulnerability by updating to a newer version of Spring Boot or excluding the vulnerable jackson-databind package from their dependencies. Regular scanning for known vulnerabilities in indirect dependencies is also recommended to ensure the security of applications.
Aug 21, 2019 586 words in the original blog post.
A year-old dormant malicious remote code execution vulnerability was discovered in Webmin, a web-based interface for system administration for Unix, and has been present since at least July 2018 in versions 1.890 through 1.920. The vulnerability was introduced by a malicious third party who injected malicious code into the Sourceforge distribution point associated with the project. It was not responsibly disclosed to the maintainers, putting them under pressure to fix the problem quickly. Webmin users are strongly recommended to upgrade to version 1.930 as soon as possible, and those unable to upgrade can take steps to mitigate the vulnerability by editing a configuration file and running a restart command. The discovery of this vulnerability highlights the importance of keeping software up-to-date and being aware of potential security risks in open source dependencies.
Aug 20, 2019 510 words in the original blog post.
Snyk has released an Artifactory plugin that allows organizations to define their desired security level and enforce it across the organization, preventing vulnerable artifacts from being used. The plugin serves as a security gate on the Artifactory server, scanning artifacts for vulnerabilities and license issues before allowing downloads. Admins can control which artifacts are blocked or allowed based on predefined policies, and Snyk's comprehensive database powers the plugin with accurate vulnerability information. The plugin provides actionable insights and one-click solutions for alerting developers to potential security risks, making it easy to integrate into development workflows.
Aug 19, 2019 591 words in the original blog post.
This plugin helps developers analyze their code for quality and security issues, providing instant feedback and suggestions to fix problems during development. The Snyk Vuln Scanner is a must-have for any developer working with Eclipse, as it scans dependencies for known vulnerabilities and provides information on how to fix them. The EGit plugin brings Git functionality to Eclipse in a clear and easy-to-use way, allowing developers to perform various Git actions quickly and efficiently. Spring Tools 4 for Spring Boot is an essential integration kit that supports Spring Boot development in Eclipse, providing features like code completion, runtime information, and smart code suggestions. The Enhanced Class Decompiler plugin allows Java developers to decompile class files without the source code present, while the JSON Editor Plugin and YAML Editor Plugin provide developer-friendly tools for working with JSON and YAML files. The Asciidoctor Editor Plugin helps create AsciiDoc files with a live preview and syntax highlighting, making it ideal for documentation and website development. Finally, DevStyle is a free plugin that provides an enhanced set of experiences for Eclipse, offering adjustable themes, custom icons, and color schemes to make the IDE more visually appealing and user-friendly.
Aug 15, 2019 1,295 words in the original blog post.
The Cloud Native Computing Foundation (CNCF) has open-sourced the findings of its recent Kubernetes Security Audit, which aimed to identify potential security issues in the project. The audit was conducted using a breadth-first approach, considering multiple control families for potential problems, and found five "high severity" issues, including access control bypasses, certificate revocation, and improper patching. The report provides recommendations for improving security, such as cleaning up code bases, adding testing and documentation, and making defaults more secure. By open-sourcing the findings, the CNCF has set a good example for other projects, prioritizing security and sustainability, and benefits both maintainers and communities by providing a proactive security stance, allowing for thoughtful prioritization of fixes, and enabling community members to review the findings and make informed choices. The audit also highlights the importance of developer-first container security, with Snyk providing automated vulnerability detection and fixing capabilities.
Aug 08, 2019 894 words in the original blog post.
Snyk has introduced a new feature that allows developers to test and monitor their Go projects for open source vulnerabilities, providing precise and accurate package-level alerts. This addition expands Snyk's ecosystem to support Go modules, which are gaining popularity, and offers a more secure way to verify development progress without slowing it down. Snyk uniquely calculates a dependency tree of the project at the granular package level, detecting only specific packages that are found to be vulnerable and issuing fewer false positives. The feature is easily accessible through the Snyk CLI, allowing developers to get started quickly and stay secure.
Aug 07, 2019 416 words in the original blog post.
There are some basic conditions that can help accelerate a Snyk rollout, such as developers already involved in security, management pushing the effort, or compliance issues. However, these conditions don't apply to every company, so customers with successful Snyk implementations were consulted to provide advice on best practices for rolling out Snyk throughout an organization. The model comprises steps including finding the right team to start implementation with, training users, setting clear KPIs, establishing official processes, integrating Snyk at a critical point in the software development lifecycle, and providing feedback. Successful customers reported starting small, providing internal training resources, such as video-call training sessions and demo videos, setting clear KPIs, establishing a standard policy, and integrating Snyk at a critical SDLC point. Giving feedback is also an important part of the process to ensure teams are engaged and making progress towards security goals.
Aug 06, 2019 1,203 words in the original blog post.