TLDR This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day! Cloud development environments and Gitpod As more and more companies begin to leverage cloud-based development environments for benefits such as improved performance, developer experience, consistent development environments, and low setup times, we ..read more

We often hear about the importance of DevSecOps — integrating security into DevOps processes. But as many security professionals know, it’s not nearly as easy as it sounds. Cultivating secure software development practices requires working alongside developers with varying opinions, priorities, and idiosyncrasies. And any process involving humans is complicated.  So, how do today’s security teams overcome these challenges and make secure software development practices a reality? Snyk interviewed some of the world’s most innovative security leaders to find out. Let’s dive into their bigges ..read more

Node.js presents a single-threaded event loop to your application, which allows CPU-bound operations to block the main thread and create delays. The worker_threads module addresses this problem by providing a mechanism for running code in parallel using a form of threading. In a previous post, you learned what worker threads are, their common use cases, and how to add them to your project. In this article, we’ll look at the pitfalls of worker threads and how they differ from the multithreading implementations in other programming languages. We’ll also tour five prominent libraries that make th ..read more

Overview I conducted some research to try and identify YAML Injection issues in open-source projects using Snyk Code. Though the vulnerability itself is not a new one, the potential impact of YAML Injection is high, which made it a good candidate for research. This research led to the discovery of several issues in open-source projects written in Python, PHP and Ruby. This article focuses on the issue found in geokit-rails version 2.3.2, a plugin for Ruby on Rails YAML YAML is more than a mere data interchange format such as JSON, the specification describes a number of advanced features that ..read more

Were you tasked with building a product that requires the execution of dynamic JavaScript originating from end users? You might think building it on-top of Node.js VM module is a viable way to create a JavaScript sandbox. In this article, we’ll learn why that’s far from being a recommended approach and the security implications of doing so. Every now and then there’s a project that challenges the rudimentary and routine backend development. APIs? Message queues? Heavy processing and computational requirements? Nah. Here’s a backlog story for you to consider: As a user, I want to write and exe ..read more

In early 2021, Snyk and Dynatrace announced that the Snyk Intel database would be integrated into the Dynatrace Application Security Module to identify vulnerabilities in real-time in production and pre-production environments to facilitate faster and easier remediation by developers. And now, we’re excited to announce our collaboration to enhance observability context even further with security posture information. Dynatrace is helping many global enterprises on their migration to the cloud, and increasing visibility is vital to improving security posture. Why Snyk is sponsoring Perform 2023 ..read more

Love your software? This Valentine’s Day, show your software some love by fixing any lingering security vulnerabilities in both your open (and closed-source) code as part of The Big Fix!  The Big Fix is a month-long fix-a-thon that brings developers and security professionals together to fix vulnerabilities and help make the software ecosystem safer for everyone! The Big Fix helps any developer (with any level of security experience) find and fix vulnerabilities in their software. This year’s event has been revamped and is better than ever, with: An anonymized leaderboard where you can s ..read more

If I throw a coin high up in the air, I know the outcome — it will either be heads or tails. However, I can’t predict which it will be. I will certainly be able to guess with a 50% chance, but I can’t be 100% certain. If I were to roll a die, my certainty becomes less (1 in 6). However, I still know what the output could be. Computers are great at many things, especially predictability. They are deterministic and creating a truly random number is impossible. However, we can use functions to create approximate randomness. These functions are called pseudo-random number generators.  Let’s t ..read more

Every day, thousands of developers use the Snyk CLI as part of their development workflow, to identify and resolve security issues in their code as early as possible. What if these developers and other security professionals could harness the power of this dev-first approach and also utilize entirely new security analyses, filters, and workflows via an extensible approach? Imagine being able to programmatically filter, ignore, and escalate results according to custom business logic, or introducing custom security analysis into an extensible snyk test command and having the results of that anal ..read more

Regardless of how last year went, a few things probably come to mind that you’d like to leave in 2022. Maybe it’s a bad habit you’d like to drop or a mindset you’d like to change. But speaking of ditching bad habits, some poor cloud application security practices shouldn’t carry over to 2023 either!  The app development world is constantly changing. From to increased conversation around software supply chain security, 2023 already promises to be full of change for development and security teams alike. But these fast-paced changes mean that some of the most tried-and-true security practice ..read more