In December of last year, #Snyk reported on CVE-2022-1471 about #SnakeYaml 2.0. This unsafe deserialization problem could easily lead to arbitrary code execution under the right circumstances. @brianverm provides solutions on Foojay :foojay: Today:
https://foojay.io/today/snakeyaml-2-0-solving-the-unsafe-deserialization-vulnerability/
"Snyk Code is a free tool to identify security vulnerabilities early in the dev cycle. Take a proactive approach to #XSS prevention and use the right tools to help ensure the security and integrity of #Java web applications," @brianverm #snyk.
https://foojay.io/today/preventing-cross-site-scripting-xss-in-java-applications-with-snyk-code/
return(GiS); | Escanear repositorio en GitHub con Snyk e integrarlo con GitHub Advanced Security | https://www.returngis.net/2023/05/escanear-repositorios-en-github-con-snyk-e-integrarlo-con-github-advanced-security/ #snyk @snyksec #docker #iac #terraform @GHSecurityLab #githubactions #returngis #security #sast #vulnerabilities
#snyk #docker #iac #terraform #githubactions #returngis #security #sast #vulnerabilities
Did you know bots can automatically create pull requests to keep dependencies secure and up to date? @maritvandijk compares and contrasts #Renovate, #Dependabot, and #Snyk on Foojay :foojay: Today!
https://foojay.io/today/using-bots-to-keep-dependencies-updated
#renovate #dependabot #snyk #foojaytip #java #kotlin
Very cool. #chatgpt as a vulnerability scanner. Most impressive to me he went through 50 of the 213 vulns it picked up manually and only 1 false positive. More detections than #snyk because of languages "know"
https://github.com/chris-koch-penn/gpt3_security_vulnerability_scanner/tree/main
Digging the livestream from my colleagues @infosecvandana and @SonyaMoisset on the OWASP Top 10 and #Snyk Learn https://www.youtube.com/watch?v=SvsVoomTN7U
🤔 #Salesforce Makes First-Ever #Quantum Tech Investment - Since 2009, Salesforce Ventures has invested about $5 billion in more than 400 enterprise software companies, including cloud-based companies like #Dropbox, #Snyk, #Twilio, #WIZ, and #Zoom.
https://www.sdxcentral.com/articles/news/salesforce-makes-first-ever-quantum-tech-investment/2023/01/ #venturecapital #startup
#salesforce #quantum #dropbox #snyk #twilio #wiz #zoom #venturecapital #startup
#SnakeYaml is a well-known #YAML 1.1 parser and emitter for #Java, by default in the spring-boot-starter. Recently, a vulnerability was reported for this package. This vulnerability can lead to arbitrary code execution. @brianverm from #Snyk to the rescue on Foojay :foojay: Today!
https://foojay.io/today/unsafe-deserialization-vulnerability-in-snakeyaml-cve-2022-1471/
#snakeyaml #yaml #java #snyk #foojaytip
I received an email from #Snyk saying:
When’s the last time you checked on the security of your open source packages?
Following in the footsteps of OWASP, we took a look at thousands of open source scans and compiled the top 10 most prevalent critical and high found in open source packages.
Here’s a preview:
#10 NULL pointer dereference - CVE-2020-29652
#8 Privilege escalation - CVE-2022-23181
#4 SQL Injection - CVE-2022-28347
Get their full report if this interests you.
@Nick_Craver #snyk and #GitHub #Dependabot should check the binary contents of nugets as well for the actual vulnerability. I once ran some scripts to find how many issues there are based on #resharper's nuget suggestion database. I can tell you, a lot.
Log4net was the most included binary of all.
I suspect the old, you have to add every dependency you depend on to your package.config is to blame here. No longer needed with modern <packageReference />.
#snyk #github #dependabot #resharper
What are your go to tools to scan Linux and Windows hosts for CVEs? For the purposes of being alerted about new critical patches, etc. on a fleet of long running services. And for preventing unpatched AMIs being deployed after a build.
Running on #AWS I have used Amazon Inspector in the past, which felt a bit clunky, as well as some corporate tools that shall not be named. #Snyk is looking promising.
@uberduck @adrienne @MJS @Alarming I've seen a few recently, unfortunately the ones I've written for this purpose I don't have (they were at my last employer).
#Snyk used to have some great examples of this but looking at their site right now they don't have any openings posted.
Wearing my #Snyk shirt today. Not because I'm a fanboy. Not because I'm a customer. It's just a damn nice and comfy shirt to wear 😂
(I got the shirt from Snyk for publishing a #Log4Shell mitigation using #Nginx in December 2021)
In Zürich for the IT Security Strategy Days the next two days
#security #zurich #cybersecurity #snyk
#security #zurich #cybersecurity #snyk
#docker https://dev.to/docker/9-docker-extensions-every-developer-must-try-1no2
#DiskUsage et #Snyk me font de l'œil
@lapt0r thank you very much for your insight!
Maybe some more context may be useful here from my side:
We currently only run Code against Sonarqube in some late CI/CD state and test even later the created Artefacts (Container images) with other tooling.
Would love to throw some "simple" tooling at our Developers to scan their Code (JS, PHP, Go, Python) easily in early stages of development.
#Snyk here obviously wins their marketing game, so that was in mind.
@dirsigler disclaimer: I work for a competitor in the space
#snyk Code works well if you are looking for plug-and-play for no-context/low-context issues, see their coverage here: https://docs.snyk.io/products/snyk-code/security-rules-used-by-snyk-code
If you want context-aware stuff, my understanding is that is a conversation w/Snyk professional services to build custom rules specifically for you.
Shameless plug for #semgrep - the CLI and community registry are open source and are pretty quick to get started with if you are looking for a quick test of "will I get value from code scanning"
Is anyone here using #snyk for code scanning? Need to justify the price tag but obviously no company is telling if they like or hate it.
Even better would be to have some estimated data if that improved things.