November 2019 Summaries
11 posts from Snyk
Filter
Month:
Year:
Post Summaries
Back to Blog
Snyk has unified open source and container security for Coveo, a company using artificial intelligence technology to personalize millions of digital experiences. Coveo started using Snyk for license management last year and extended its use to container security and vulnerability reporting. The company uses Snyk to solve license violations and security vulnerabilities early in development, making it an excellent fit for its 100 full-time developers who run most of their code in Docker containers. Snyk automatically fixes vulnerabilities in container images and Kubernetes workloads, recommending that security teams embrace security from the start and use Snyk as soon as possible.
Nov 23, 2019
232 words in the original blog post.
Exploits in the wild pose a significant risk to systems, with only a small percentage of known vulnerabilities being exploited. Evaluating the maturity of exploit code can help prioritize and quickly handle vulnerabilities accordingly. Factors such as practicality and required expertise level influence the risk posed by published exploits. Prioritizing according to exploit maturity can effectively pinpoint the riskiest vulnerabilities, narrowing them down to about 10% of the total. This approach is essential for effective vulnerability remediation and protection against real-life attacks like the Apache Struts breach that exposed sensitive data of millions of customers. By evaluating exploit code maturity, developers can make informed decisions on which vulnerabilities to address first and reduce the risk of exploitation.
Nov 21, 2019
1,409 words in the original blog post.
The Microsoft Open Source Programs Office, led by Director Jeff McAffer, aims to streamline security processes through a mantra of "eliminate, automate, delegate." This approach has resulted in 99% of open source usages being automatically detected and reviewed with no human intervention. However, despite automation, humans are still involved, and it's essential to have a security plan in place to address potential vulnerabilities. Microsoft's two-level approach to security includes active development and incident response teams, which cover most use cases. The company also debuts ClearlyDefined.io to crowdsource license data and improve open source stewardship, emphasizing the importance of treating open-source components like one's own code and engaging with project teams to ensure security and integrity.
Nov 20, 2019
841 words in the original blog post.
We've identified vulnerabilities in 68% of stable Helm Charts, with some charts containing high-severity vulnerabilities. The public Helm Charts repository contains thousands of images, many of which may contain security issues. To address this, we've created a Snyk Helm plugin that makes it easy to check your own Helm Charts for vulnerabilities, and provides tools to help developers secure open source dependencies and container images. The plugin allows users to test their charts with a simple command, providing instant feedback on potential security risks.
Nov 18, 2019
834 words in the original blog post.
Snyk is releasing a new feature to help developers find and fix issues with their Kubernetes configuration as part of their development process, addressing the growing concern that configuration can introduce security issues or make vulnerabilities easier to exploit, by automatically surfacing configuration issues in Snyk and providing context and safe resolutions for fixing them. The feature will integrate directly into source control systems like GitHub or GitLab, issuing pull requests to fix issues as simple as merging a pull request, aiming to help developers find and fix configuration issues before deploying changes, making it easier to stay secure in modern developer workflows.
Nov 18, 2019
565 words in the original blog post.
Kubernetes-native applications require careful planning for CI/CD pipelines to ensure confidence in shipping products with minimal onboarding complications. The team developed a pipeline using Kind for integration testing, semantic versioning for tagging products, and GitHub Pages for publishing Helm charts. They balanced automation with manual steps to achieve a developer-first approach, leveraging Travis CI (with migration to CircleCI) for orchestration. The pipeline consists of four stages: testing in a clean environment, ensuring non-conflicting merged branches, building the product, and publishing it to the public Helm chart repository. While improvements can be made, such as extending testing infrastructure or skipping manual steps before release, the team has built an excellent CI/CD pipeline that increases confidence in what is shipped.
Nov 14, 2019
1,337 words in the original blog post.
At Snyk, they aim to build security tools that help developers adopt better security practices early and efficiently. Recently, they released a set of GitHub Actions to help users test their projects for vulnerabilities. These actions can be used with various programming languages, including Node.js, and provide ongoing monitoring capabilities. The goal is to enable continuous monitoring and vulnerability testing directly within the GitHub repository.
Nov 13, 2019
257 words in the original blog post.
Developers are increasingly adopting containers, with over 75% of global organizations expected to run containerized applications in production by 2022, but this widespread adoption has also led to a surge in container vulnerabilities.
Snyk is launching Snyk Container, a new product that helps developers easily find and fix vulnerabilities in their container applications, integrating directly with developer workflows and existing tools such as source control, CI/CD, container registries, and Kubernetes.
Nov 12, 2019
331 words in the original blog post.
Secure your Kubernetes applications with Snyk Container, a new integration that aims to make it easier for developers to identify and fix vulnerabilities in their cluster, bringing vulnerability information closer to the developer and enabling more efficient security. With this integration, Snyk can analyze individual containers within a workload, providing context and abstraction that aligns with how developers use Kubernetes workloads like Deployments, CronJobs, and ReplicationControllers. The controller sends vulnerability data to Snyk, where it is displayed alongside security configuration information, helping developers understand which workloads require changes to better secure them.
Nov 12, 2019
434 words in the original blog post.
The use of third-party applications in Kubernetes environments raises security concerns, as these apps have access to production data and can introduce vulnerabilities. The way these apps are packaged and installed using tools like Helm or CNAB can impact security. Third-party applications can be classified into standalone apps providing specific values and direct dependencies of first-party applications. To address the issue, automation and pipeline design that validate and test third-party content earlier in the development process are crucial. This requires local tools to sanity-check bundles, CI/CD pipelines for quick setup, streamlined pipelines for external images, and standards for sharing trusted vulnerability data.
Nov 08, 2019
881 words in the original blog post.
Snyk has released a new feature called auto upgrades, which automatically keeps dependencies up-to-date and helps ensure overall project health, even without remediating vulnerabilities. This feature is part of Snyk's security toolset and aims to increase awareness about vulnerabilities while staying on the latest version, often the most secure and quickly fixed when a vulnerability is found. The new feature limits the potential flood of pull requests with a configurable setting and allows users to track dependency health more easily.
Nov 06, 2019
450 words in the original blog post.