Home / Companies / Snyk / Blog / August 2021

August 2021 Summaries

15 posts from Snyk

Filter
Month: Year:
Post Summaries Back to Blog
The use of open source packages in software development can be a significant vulnerability for supply chain attacks, which aim to inject malicious code into a software product to compromise dependent systems further down the chain. This is often achieved by uploading malicious packages to package registries with no security oversight, and then having them downloaded into codebases with minimal scrutiny. To mitigate this risk, Snyk provides an application security solution that includes tools for identifying malicious packages early on in the development process, as well as across various stages of the Software Development Life Cycle (SDLC). Snyk Advisor, a free online research tool, can help developers decide which package to use by analyzing factors such as maintenance cadence, popularity, and security status. Additionally, Snyk's security testing is applied across various stages of the SDLC to ensure that malicious packages are identified as quickly as possible.
Aug 31, 2021 1,421 words in the original blog post.
Conducting an application security assessment is crucial to identify potential threats and determine measures to protect against them, enabling organizations to evaluate their current security posture and take proactive steps to defend against future exploits. A thorough assessment can help identify sensitive data worth protecting, map out the application's attack surface, evaluate application security process pain points, and build a roadmap for eliminating weak points in AppSec processes. Leveraging automated scanning tools, SAST, and DAST testing, organizations can ensure the security of their applications by design and conduct regular assessments to keep security measures up-to-date.
Aug 31, 2021 1,029 words in the original blog post.
In a roundtable discussion between Guy Podjarny, President & Co-Founder of Snyk, and Yashvier Kosaraju, Senior Manager of Product Security at Twilio, the topic of security ownership in organizations adopting DevSecOps practices was discussed. Key points included: 1) The importance of defining clear roles and responsibilities for both development and security teams; 2) Making security tooling accessible and user-friendly for developers; 3) Implementing an early win strategy, such as open source security and Software Composition Analysis (SCA); 4) Establishing a code ownership model to streamline vulnerability management; and 5) Measuring the effectiveness of security tools by tracking metrics like time taken to fix critical vulnerabilities. The discussion emphasized the need for continuous improvement in security practices, with companies regularly aligning their products to meet evolving industry needs.
Aug 30, 2021 885 words in the original blog post.
The IntelliJ IDEA is a widely used IDE in the Java ecosystem, but many developers use multiple IDEs and may want to enhance their experience with plugins. The article suggests eight production-grade plugins that can improve coding experience, including Maven Helper for navigating dependencies, Rainbow Brackets for colorful bracket highlighting, Presentation Assistant for live coding presentations, RoboPOJOGenerator for transforming JSON output into Java objects, Snyk Vulnerability Scanner for secure dependency management, AsciiDoc for creating and editing documentation, Randomness for generating random data, and SonarLint for code quality assurance. These plugins can be freely downloaded on the marketplace and work seamlessly with IntelliJ IDEA.
Aug 26, 2021 1,356 words in the original blog post.
The Hypergrowth Playbook outlines best practices for scaling talent at a rapid pace, helping startups navigate the challenges of hypergrowth. To achieve this, founders should design for scale from the outset, investing in branding, marketing, and interview processes that support growth strategy. They should also build depth and expertise across their talent by hiring leaders with experience to guide the organization and promoting internal mobility. Maintaining a strong culture is crucial, defined early on and embedded in values that guide hiring decisions and organizational structure. A learning organization is essential for agility and continuous evolution, with robust induction programs, career frameworks, and peer-to-peer learning mechanisms. Effective communication, HR processes, and data-driven decision-making are also critical components of a successful hypergrowth strategy. By following these best practices, founders can navigate the challenges of scaling talent and achieve long-term success.
Aug 25, 2021 1,052 words in the original blog post.
SnykCon 2021 is a developer conference that focuses on building applications securely, with sessions covering topics such as security best practices, governing and empowering teams, and using tools to find and fix security issues. The event features talks from well-known speakers in the developer and security worlds, including Twitter's Rinki Sethi and security analyst Keren Elazari, as well as Snyk's own product leaders. In addition to main stage talks, there will be code & build sessions, governance and empowerment talks, and workshops on topics such as static analysis, OWASP Top 10 vulnerabilities, and getting started with Snyk. The event is free and virtual, taking place from October 5-7, 2021.
Aug 24, 2021 1,382 words in the original blog post.
Speed is critical for Static Application Security Testing (SAST) tools as it enables real-time feedback, improves development velocity, and enhances developer adoption. A fast SAST tool can provide developers with instantaneous feedback while coding, reducing friction and encouraging more frequent scanning of code. This allows developers to remediate issues on the spot, shortening the development lifecycle and improving overall development velocity. In contrast, slow SAST tools may cause developers to push code less frequently or scan their code less often, leading to a slower development process and potentially compromising security. By balancing speed with accuracy and breadth, an effective SAST tool can integrate security directly into existing workflows, ensuring developer adoption and improving the security posture of an application.
Aug 20, 2021 698 words in the original blog post.
Snyk has added Social Trends to its vulnerability data, which shows trending vulnerabilities so developers can prioritize remediation based on what's currently popular in the social media world. The company's research found a strong correlation between socially trending vulnerabilities and exploits that can harm applications. This new feature helps developers focus on essential security vulnerabilities by highlighting those with high attention on Twitter and other social media platforms, making it easier to identify potential security risks before they become major issues. By analyzing social media trends, Snyk aims to provide an additional layer of protection for developers, helping them avoid common security mistakes and stay ahead of emerging threats.
Aug 18, 2021 909 words in the original blog post.
Jib is an open-source, 100% Java-based tool that builds OCI (Docker v2) compliant container images without a Dockerfile or even a container runtime present. It can be used as a standalone CLI tool but is most commonly used as a Maven or Gradle build step plugin. Jib simplifies developers' lives by automating the process of building and deploying container images, eliminating the need to learn Dockerfile syntax or install unfamiliar tools. It also helps architects manage standardization through the well-known Maven or Gradle project hierarchy facilities. Jib builds OCI compliant images, allowing users to leverage industry-standard tools like Snyk container scanner to inspect, deploy, and run their application. Additionally, Jib provides a repeatable build strategy that aims to create the exact same layer hashes for builds against the same codebase.
Aug 17, 2021 3,081 words in the original blog post.
Snyk, a company focused on application security, has introduced the Snyk Ambassador program aimed at promoting awareness and best practices for secure software development through recognition and support from passionate developers in the community who share their values. The program seeks to champion application security by engaging with like-minded individuals, creating meaningful connections within communities, and educating peers about application security risks and solutions. As an ambassador, one will be supported by Snyk's Developer Relations team, and have access to resources such as editorial review, technical content review, visual designs, and promotion of their content via Snyk's social media channels to help advance their community activities and personal career development in AppSec.
Aug 16, 2021 540 words in the original blog post.
Snyk has been named #39 on the prestigious Forbes Cloud 100 List for the second consecutive year, marking a significant increase of 47 spots from last year's ranking. The company attributes its success to its growth in size and expansion into new regions, strategic acquisitions, and debut in the Gartner Magic Quadrant for Application Security Testing. Snyk believes that the future of security lies in a developer-first approach with collaboration between security and development teams as its foundation. With no intention of slowing down, the company is hiring across various positions and invites attendees to SnykCon 2021, a free event bringing together thousands of developers and security practitioners from around the world to share best practices and learn about secure software development.
Aug 11, 2021 375 words in the original blog post.
Snyk has introduced new features to its security policies, including a new Ignore action and two new conditions (CVE and Snyk ID), allowing developers to prioritize fixes more efficiently by ignoring non-critical vulnerabilities and applying granular rules to projects. The enhanced rules engine provides additional governance flexibility and granularity, enabling organizations to drive effective prioritization strategies across their teams. Policies can be applied at different stages of the SDLC, ensuring vulnerable or non-compliant components are not overlooked. With the new features, developers can clear up their vulnerability backlog by ignoring specific vulnerabilities based on conditions such as CVE and Snyk ID. The system also allows for granular policy management, enabling organizations to apply policies to specific projects or groups based on project tags and attributes, and providing flexibility in applying rules within the organization. Policies are applied across the SDLC, starting from development environments, through Git-based workflows, CI/CD, and into production, ensuring issues are flagged early, when it is less costly and time-consuming to fix. The new features strike a balance between security and speed, enabling organizations to maximize productivity while staying secure.
Aug 11, 2021 1,080 words in the original blog post.
Snyk is a platform designed to help Python developers secure their applications by integrating seamlessly into existing development workflows. The Snyk platform comprises four products: Snyk Code, Snyk Open Source, Snyk Container, and Snyk Infrastructure as Code, each addressing different aspects of application security. Snyk provides tools such as Advisor, a research tool for open source packages and images, the Snyk CLI, a free, powerful tool for executing security scanning in local development environments or as part of CI/CD pipelines, and IDE plugins to secure code within popular integrated development environments like PyCharm. The platform offers integrations with Source Code Management systems like GitHub, enabling automated security testing and remediation, making it easier for developers to catch issues early on and fix them before shipping their code. By integrating Snyk into existing workflows, developers can move fast while staying secure.
Aug 04, 2021 2,033 words in the original blog post.
Brian Vermeer, a developer advocate at Snyk, has been named to Business Insider's Top 21 Developers Shaping Tech and Forging New Paths. He is recognized for his nearly two decades of experience creating and maintaining web applications, particularly in the Java community. As a co-leader of the global DevSecCon community and community manager for Foojay, Brian shares his expertise through regular speaking engagements at various conferences, including Java-related events. With his vast knowledge and experience, he advises developers to "keep learning" and not be afraid to ask for advice. He emphasizes the importance of helping others and being willing to receive help in return.
Aug 03, 2021 353 words in the original blog post.
In assessing a SAST testing tool, it's essential to consider three parameters: accuracy, completeness, and unique additional values. Accuracy refers to the number of true positives (actual issues) while maintaining false positives (irrelevant findings). Completeness measures the real issues found versus all possible issues, with higher rates indicating better visibility and protection. The qualitative aspect looks at language and vulnerability support, including how a tool approaches depth and accuracy, and its development velocity and maintenance. To measure these parameters, one needs to triage results, calculate accuracy and completeness using formulas, and consider the importance of context and personal expertise in interpreting SAST results.
Aug 03, 2021 1,571 words in the original blog post.