Foojay.io · @foojay
680 followers · 487 posts · Server foojay.social

In December of last year, reported on CVE-2022-1471 about 2.0. This unsafe deserialization problem could easily lead to arbitrary code execution under the right circumstances. @brianverm provides solutions on Foojay :foojay: Today:

foojay.io/today/snakeyaml-2-0-

#snyk #snakeyaml #foojaytip

Last updated 1 year ago

Foojay.io · @foojay
617 followers · 412 posts · Server foojay.social

"Snyk Code is a free tool to identify security vulnerabilities early in the dev cycle. Take a proactive approach to prevention and use the right tools to help ensure the security and integrity of web applications," @brianverm .

foojay.io/today/preventing-cro

#xss #java #snyk #foojaytip

Last updated 1 year ago

Gisela Torres :verified_paw: · @0gis0
107 followers · 133 posts · Server hachyderm.io
Adam Gardner · @agardnerit
14 followers · 65 posts · Server techhub.social

Serious Q to the folk here. When you get a “new vulnerability found” alert from but there is “No remediation available yet”. What do you do? What use it that alert?

#security #snyk

Last updated 1 year ago

Robert J. Berger · @rberger
443 followers · 1914 posts · Server hachyderm.io

Anyone know if/when will support ?

#snyk #rustlang

Last updated 1 year ago

Foojay.io · @foojay
564 followers · 290 posts · Server foojay.social

Did you know bots can automatically create pull requests to keep dependencies secure and up to date? @maritvandijk compares and contrasts , , and on Foojay :foojay: Today!

foojay.io/today/using-bots-to-

#renovate #dependabot #snyk #foojaytip #java #kotlin

Last updated 1 year ago

rakkhi · @rakkhi
134 followers · 870 posts · Server infosec.exchange

Very cool. as a vulnerability scanner. Most impressive to me he went through 50 of the 213 vulns it picked up manually and only 1 false positive. More detections than because of languages "know"

github.com/chris-koch-penn/gpt

#chatgpt #snyk

Last updated 1 year ago

Digging the livestream from my colleagues @infosecvandana and @SonyaMoisset on the OWASP Top 10 and Learn youtube.com/watch?v=SvsVoomTN7

#snyk

Last updated 1 year ago

Mark Carter · @markcarter
276 followers · 1037 posts · Server hachyderm.io

🤔 Makes First-Ever Tech Investment - Since 2009, Salesforce Ventures has invested about $5 billion in more than 400 enterprise software companies, including cloud-based companies like , , , , and .

sdxcentral.com/articles/news/s

#salesforce #quantum #dropbox #snyk #twilio #wiz #zoom #venturecapital #startup

Last updated 2 years ago

Foojay.io · @foojay
439 followers · 144 posts · Server foojay.social

is a well-known 1.1 parser and emitter for , by default in the spring-boot-starter. Recently, a vulnerability was reported for this package. This vulnerability can lead to arbitrary code execution. @brianverm from to the rescue on Foojay :foojay: Today!

foojay.io/today/unsafe-deseria

#snakeyaml #yaml #java #snyk #foojaytip

Last updated 2 years ago

Rob de Voer · @robdevoer
25 followers · 228 posts · Server hachyderm.io

I received an email from saying:

When’s the last time you checked on the security of your open source packages?

Following in the footsteps of OWASP, we took a look at thousands of open source scans and compiled the top 10 most prevalent critical and high found in open source packages.

Here’s a preview:
#10 NULL pointer dereference - CVE-2020-29652
#8 Privilege escalation - CVE-2022-23181
#4 SQL Injection - CVE-2022-28347

Get their full report if this interests you.

#snyk #cyber #opensource

Last updated 2 years ago

jessehouwing :verified: · @jessehouwing
80 followers · 97 posts · Server hachyderm.io

@Nick_Craver and should check the binary contents of nugets as well for the actual vulnerability. I once ran some scripts to find how many issues there are based on 's nuget suggestion database. I can tell you, a lot.

Log4net was the most included binary of all.

I suspect the old, you have to add every dependency you depend on to your package.config is to blame here. No longer needed with modern <packageReference />.

#snyk #github #dependabot #resharper

Last updated 2 years ago

konst · @konst
39 followers · 21 posts · Server mastodon.nz

What are your go to tools to scan Linux and Windows hosts for CVEs? For the purposes of being alerted about new critical patches, etc. on a fleet of long running services. And for preventing unpatched AMIs being deployed after a build.

Running on I have used Amazon Inspector in the past, which felt a bit clunky, as well as some corporate tools that shall not be named. is looking promising.

#aws #snyk #devsecops #devops

Last updated 2 years ago

@uberduck @adrienne @MJS @Alarming I've seen a few recently, unfortunately the ones I've written for this purpose I don't have (they were at my last employer).

used to have some great examples of this but looking at their site right now they don't have any openings posted.

#snyk

Last updated 2 years ago

ck · @ck
35 followers · 23 posts · Server noc.social

Wearing my shirt today. Not because I'm a fanboy. Not because I'm a customer. It's just a damn nice and comfy shirt to wear 😂
(I got the shirt from Snyk for publishing a mitigation using in December 2021)

#nginx #Log4Shell #snyk

Last updated 2 years ago

In Zürich for the IT Security Strategy Days the next two days

#security #zurich #cybersecurity #snyk

Last updated 2 years ago

Zephilou · @zephilou
3 followers · 24 posts · Server pouet.chapril.org
Dennis Irsigler · @dirsigler
114 followers · 154 posts · Server infosec.exchange

@lapt0r thank you very much for your insight!

Maybe some more context may be useful here from my side:

We currently only run Code against Sonarqube in some late CI/CD state and test even later the created Artefacts (Container images) with other tooling.
Would love to throw some "simple" tooling at our Developers to scan their Code (JS, PHP, Go, Python) easily in early stages of development.

here obviously wins their marketing game, so that was in mind.

#snyk

Last updated 2 years ago

lapt0r :verified: · @lapt0r
1073 followers · 326 posts · Server infosec.exchange

@dirsigler disclaimer: I work for a competitor in the space

Code works well if you are looking for plug-and-play for no-context/low-context issues, see their coverage here: docs.snyk.io/products/snyk-cod

If you want context-aware stuff, my understanding is that is a conversation w/Snyk professional services to build custom rules specifically for you.

Shameless plug for - the CLI and community registry are open source and are pretty quick to get started with if you are looking for a quick test of "will I get value from code scanning"

#snyk #semgrep

Last updated 2 years ago

Dennis Irsigler · @dirsigler
114 followers · 154 posts · Server infosec.exchange

Is anyone here using for code scanning? Need to justify the price tag but obviously no company is telling if they like or hate it.

Even better would be to have some estimated data if that improved things.

#snyk

Last updated 2 years ago